Phishing attack hid in Google Cloud Services


Details of a phishing attack concealed in Google Cloud Services point to a fast-growing trend that has hackers disguising malicious activities in cloud service providers.

In a report released today, researchers at Check Point unravel, step-by-step, how even security-savvy professionals could be tricked by a well-disguised ruse, which kicked off with a PDF document containing a malicious link and uploaded to Google Drive. While Google ultimately suspended this particular hacker project and its URL as phishing abuse (as well as all associated URLs), it’s unclear how much damage might have been inflicted before being discovered.

This latest discovery sheds light onto hackers’ new techniques deployed in their arsenal, and how they’ve evolved from directly hosting phishing pages on malicious websites in 2018, followed later by the hijacking of Google Cloud Storage and Azure Storage to hold their malware-laden payloads.

“The attackers in this case seem to be taking advantage of different cloud storage services, a technique that has been gaining popularity due to the difficulties involved in detecting it,” researchers said. “Because such services usually have legitimate uses and do not appear suspicious, both victims and network administrators have more difficulty identifying and fending off such attacks.”

In the attack detailed in the report, the phishing page asked users to login with their Office 365 or organization’s e-mail.

After entering credentials, they were then led to a real PDF report published by a renowned global consulting firm. At this point, everything seemed legitimate because the interface appears to be through Google Cloud Storage.

However, source code showed most of the resources were loaded from a website that belongs to the attackers, prvtsmtp[.]com.

Hackers kept up the pretense by wrapping their spoof with Google Cloud Functions, allowing code to be run in the cloud without exposing the attackers’ own malicious domains emanating from a Ukrainian IP address.

“This gave us an insight into the attackers’ malicious activity over the years and allowed us to see how they have been developing their campaigns and introducing new techniques,” Check Point said. Often lookalike domains and spelling errors in emails or websites are red flags that delivered content should not be opened to prevent future damage, CheckPoint noted, adding that targeted phishing schemes steal $300 billion from businesses every month.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.