Cybercriminals are taking advantage of the Google name and the cloud to convince victims into handing over their login details.
A series of phishing campaigns using Google Firebase storage URLs have surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.
Google Firebase is a mobile and web application development platform. Firebase Storage meanwhile provides secure file uploads and downloads for Firebase apps. Using the Firebase storage API, companies can store data in a Google cloud storage bucket.
The phishing effort starts with spam emails that encourage recipients to click on a Firebase link inside the email in order to visit promised content, according to Trustwave researcher Fahim Abbasi, writing in an analysis released Thursday. If the targets click on the link, they’re taken to a supposed login page (mainly for Office 365, Outlook or banking apps) and prompted to enter their credentials – which of course are sent directly to the cybercriminals.
“Credential phishing is a real threat targeting corporates globally,” noted Abbasi. “Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.”
In this case, that “innovative way” is using the Firebase link.
“Since it’s using Google Cloud Storage, credential-capturing webpages hosted on the service are more likely to make it through security protections like Secure Email Gateways due to the reputation of Google and the large base of valid users,” Karl Sigler, senior security research manager, SpiderLabs at Trustwave., told Threatpost. “The use of cloud infrastructure is rising among cybercriminals in order to capitalize on the reputation and valid uses of those services. They tend to not be immediately flagged by security controls just due to the URL.”
Overall, the phishing messages are convincing, according to Trustwave, with only subtle imperfections that might tip off potential victims that there’s something wrong, such as a few poor graphics.
“Cybercriminals are constantly evolving their techniques and tools to covertly deliver their messages to unwitting victims,” Abbasi said. “In this campaign, threat actors leverage the reputation and service of the Google Cloud infrastructure to conduct phishing by embedding Google firebase storage URLs in phishing emails.”
“Again, because of the valid uses and large user base of these services, many of these phishing emails can slip through the cracks of the security controls we put in place,” Sigler added. “Educating users about these tactics helps provide defence-in-depth against these techniques when they hit a victim’s inbox.”
Educate your employees with Security Awareness Training – they need to be taught about targetted phishing attacks – regardless of whether this is via emails regarding fake domains or whether the theme is tax or flight refunds, COVID-19, an outstanding invoice, a package delivery, or any of a myriad of other stories told as above.
With thanks to the Cyber Defence Alliance and Threat Post. The full story is here: https://threatpost.com/crooks-tap-google-firebase-in-fresh-phishing-tactic/155967/
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilise users as your last line of defence. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW