New phishing campaigns tracked by Trustwave deploy schemes that harvest credentials by taking advantage of “the reputation and services” of the Google Cloud’s Firebase mobile and web application development platform.
The bogus emails cut across industries and tap Firebase’s data storage API in a Google Cloud Storage bucket, while hiding malicious URLs in phishing emails that lead to fake pages.
“While these campaigns used common phishing lures, what made them unique was the adoption of Google Firebase storage URLs embedded in the phishing messages,” Trustwave researcher Fahim Abbasi wrote in a blog post. “In effect, actors leverage the repute and services of Google Cloud’s infrastructure to host their phishing credential harvesting pages.”
Abbasi provided examples of nine “major themes that include payment invoice, upgrade email account, release pending messages, verify account, account error, change password and the like.
In one example, a fake Microsoft Office 365/Outlook phishing email is disguised to look legitimate with complete with logos and themed colors and asks users to login to release emails that are stuck in transit from a server. The Google Firebase link takes visitors to a themed phishing page replicates genuine Microsoft login pages.
“While the phishing messages seem quite convincing, some subtle imperfections exist such as variation in font and poor graphics, etc.,” Abbasi wrote.
Another scenario uses the Covid-19 pandemic and internet banking as an excuse to lure the victims into clicking on the fake vendor payment form that leads to the phishing page hosted on Firebase Storage.