Hackers found using Google Cloud to hide phishing attacks

Picture: IANS

Picture: IANS

Published Jul 21, 2020

Share

Researchers at cybersecurity firm Check Point on Tuesday cited an instance when hackers used advanced features on Google Cloud Platform to host phishing pages and hide them.

Some of the warning signs that users generally look out for in a phishing attack include suspicious-looking domains, or websites without a HTTPS certificate.

However, by using well-known public cloud services such as Google Cloud or Microsoft Azure to host their phishing pages, the attackers can overcome this obstacle and disguise their malicious intent, improving their chances of ensnaring even security-savvy victims, Check Point said in a blog post.

"Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify a phishing attack. Traditional red flags of a phishing attack, such as look-alike domains or websites without certificates, won't help us much as we enter a potential cyber pandemic," Lotem Finkelsteen, Check Point's Manager of Threat Intelligence, said in a statement.

"Users of Google Cloud Platform, even Amazon Web Services (AWS) and Azure users, should all beware of this fast-growing trend, and learn how to protect themselves. It starts by thinking twice about the files you receive from senders."

The Check Point researchers cited an example of a hacker using Google Cloud Platform advanced features, Google Functions, to orchestrate a sophisticated phishing attack, just like any other business.

The researchers said that in January this year they came across an attack that started with a PDF document uploaded to Google Drive, which included a link to a phishing page.

The phishing page asked the user to login with their Office 365 or organisation e-mail.

When a user chooses one of the options, a pop-up window with the Outlook login page appears.

After the credentials were entered, the user is led to a real PDF report published by a renowned global consulting firm.

During all of these stages, the user never gets suspicious since the phishing page is hosted on Google Cloud.

However, viewing the phishing page's source code revealed that most of the resources are loaded from a website that belongs to the attackers, prvtsmtp[.]com.

The attackers started using Google Cloud Functions, a service that allows the running of code in the cloud.

In this case, the resources in the phishing page were loaded from a Google Cloud Functions instance without exposing the attackers' own malicious domains.

The probe revealed that it resolved to a Ukrainian IP address.

Many other domains related to this phishing attack resolved to the same IP address, or to different ones on the same netblock, Check Point said.

Google suspended this particular hacker project in January for phishing abuse, which subsequently suspended the URL as well as all URLs associated with that project since that time.

The researchers said that people need to be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.

--IANS

Related Topics: