The world’s largest tech giant, “Google” has yet again targeted by the threat actors. Intruders are using Google’s derivative to target commercial enterprises. Security analysts have come across a series of phishing campaigns that have been using Google Firebase storage URLs to espionage the cloud services.
Cybercriminals are mainly targeting such services so that they could potentially escalate Google’s cloud infrastructure to dupe victims into bypassing secure email gateways.
What is Google Firebase?
Google Firebase is an online web application development platform that provides tools developed by Google to enhance app quality and grow business. Firebase Storage facilitates secure file uploads and downloads for Firebase bases applications. With the help of Firebase storage API, companies can store data in a Google cloud storage bucket.
Phishing campaign on Firebase!
According to Trustwave security researcher Fahim Abbasi, writing in an analysis publicly released ThursdayThe attack starts with a spam phishing mail that encourages receivers to click on a Firebase link attached to the email, which later pushes users to visit promised content. If the user tends to click on the link, they are further redirected to phishing login page-mainly like Office 365, Outlook, or some other banking apps. The users are prompted to fill up their user credentials that are obviously sent to the cybercriminals.
Security personnel further noted, “User credential phishing is a severe threat targeting enterprises globally.” The digital world has evolved itself to its peak. Hackers are finding smart and innovative ways to lure victims into harvesting their corporate credentials. Further, they use the collected data to implement their dirty deeds and malicious agendas.
Karl Sigler, senior security research manager, Hackers are using Google Cloud Storage as a mediator for credential-capturing.
Google Cloud Services uses security protection such as Secure Email Gateways to ensure legitimate users. After all, Google can not compromise with its renowned reputation. The exponential use of cloud infrastructure has resulted in a spike rise among cybercriminals. Hackers use such services to capitalize on the prestigious status of the enterprises. Security controls ain’t be able to immediately flag the content due to its URL.
The campaigns are widely circulated across the world, ranging from largest enterprises to small scale businesses. It has been found that the campaign has majorly hit the parts of Europe and Australia.
Mostly the emails have begun to reach out from late March to the middle of April. While some of the samples were collected in February, which was later thoroughly researched. The basic structure of the mail content includes payment invoices, urgings to upgrade email accounts, prompts to release pending messages, requesting heirs to verify accounts, several account errors, change of user credentials, and many more. Apart, One of the cases reported scammers using Covid-19 pandemic and internet banking as a methodology to lure ordinary users into clicking on the fake payment filling form, which could further escalate the security privileges.
An example of a phishing email using Firebase. Click to enlarge.
Overall, The intrusive phishing messages are very promising and convincing. According to Trustwave, the only subtle inability that might trigger potential victims is the use of a few deficient graphic components.
“Cybercriminals are constantly evolving their techniques and tools to covertly deliver their messages to unwitting victims,” Abbasi said. “In this campaign, threat actors leverage the reputation and service of the Google Cloud infrastructure to conduct phishing by embedding Google firebase storage URLs in phishing emails.”
Utilizing Google to owe legitimacy has been an ongoing trend. Earlier this year, an attack encountered that uses homographic characters to mime Google domain names. Further, last August, a targeted spearphishing campaign hit an organization in the energy sector. It used Google Drive to roam around the Microsoft email security stack. It pretended to be hazardous. As the campaign mimed the CEO of the leading targeted company, that was sending email through Google Drive accused to be “sharing an important message” with the receiver.
Security personnel concluded that the vast valid uses of such services could trick the user into believing dynamically crafted phishing emails, which may later result in a significant data breach. Last but not least, Tutoring users about these tactics and traits to help provide security-in-depth against these methods when they knocked on a victim’s inbox.