Fraudsters Use Free Google Services in Phishing CampaignsApproach Helps Hackers Circumvent Security Tools
Fraudsters are increasingly using free Google services to create more realistic phishing emails and malicious domains that circumvent security filters, the security firm Armorblox reports.
Using the Google services enables the fraudsters “to get their emails past security filters that block known bad links and domains," says Arjun Sambamoorthy, co-founder and head of engineering at Armorblox. "These attacks are more effective than standard phishing campaigns because Google's reputed URLs and domains allow these emails to get past security filters that block known bad links. Google's services are easy to use for everyone, which also means they lower the bar for attackers to launch phishing campaigns and host fake sites on Google."
Although phishing attacks that leverage Google services have been going on for a while, "we have noticed spikes that correlate with the increased adoption of remote work," Sambamoorthy tells Information Security Media Group.
These phishing attacks can be highly targeted toward certain types of victims. For instance, they can use fake payroll documents to target employees working in payroll departments who now work remotely. But other fraudsters use "spray and pray" tactics to target as many victims as possible and then leverage services such as Google Drive or Google Docs as part of their infrastructure (see: Phishing Scheme Uses Google Drive to Avoid Security: Report).
In addition to using Google services, fraudsters are leveraging other free cloud services to build phishing emails or host domains, the Armorblox researchers note. These include Microsoft OneDrive, Box, Dropbox, SendGrid, Webflow and Amazon Simple Email Service.
"These attacks leveraging Google services are part of a larger trend of attackers leveraging collaboration, storage and site-building software/tools to meet their nefarious ends," the Armorblox researchers says.
Armorblox researchers noticed fraudsters kwcweFUBF Google's free services during several recent campaigns that also used other well-known brand names.
In one case, a phishing email that impersonated American Express Customer Care was sent to victims, telling them that they did not provide some information while validating their card. The email included a malicious link for providing this information, according to the report. The link led to a phishing domain created using a Google Doc form. It asked the victim to fill out a short question and answer section. If they entered their email, the fraudsters then sent additional messages asking for more data.
In another case, the researchers found fraudsters using Firebase, Google's mobile platform that enables users to create apps, host files and images, and serve user-generated content. This has proven effective because the parent URL of the page - https://firebasestorage.googleapis.com - is not blocked by security filters, according to the report.
In the attacks using Firebase, a victim was asked to input credentials, which were then sent to the fraudsters and harvested for use later, the report notes.
In May, Trustwave's SpiderLabs found a similar scheme that used Google's Firebase storage service to harvest user credentials (see: Phishing Campaign Leverages Google to Harvest Credentials).
The Armorblox researchers also found phishing emails claiming to originate from a company's IT team that asked employees to review a secure message their colleagues had shared over the Microsoft Teams collaboration platform. By clicking the link, the potential victim was taken to a malicious domain designed to look like an Office 365 log-in page that was created with Google Sites, a wiki and web page creation tool, according to the report.
"The malice of the page’s intent was hidden behind the legitimacy of the page’s domain," the report staes. "This page would pass most eye tests during busy mornings - which is when the email was sent out - with people happily assuming it to be a legitimate Microsoft page."
Earlier this month, researchers with Area 1 Security uncovered a phishing campaign using a message saying that the recipient had been fired from their job.
The campaign was designed to plant two malware strains - Bazar and Buer - using the Trickbot botnet. The emails contained a link to a Google Doc that helped start loading malware onto a device if opened (see: Phishing Campaign Tied to Trickbot Gang).