A series of phishing campaigns using Google Firebase storage URLs have surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.
Google Firebase is a mobile and web application development platform. Firebase Storage meanwhile provides secure file uploads and downloads for Firebase apps. Using the Firebase storage API, companies can store data in a Google cloud storage bucket.
The phishing effort starts with spam emails that encourage recipients to click on a Firebase link inside the email in order to visit promised content, according to Trustwave researcher Fahim Abbasi, writing in an analysis released Thursday. If the targets click on the link, they’re taken to a supposed login page (mainly for Office 365, Outlook or banking apps) and prompted to enter their credentials – which of course are sent directly to the cybercriminals.
“Credential phishing is a real threat targeting corporates globally,” noted Abbasi. “Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.”
In this case, that “innovative way” is using the Firebase link.
“Since it’s using Google Cloud Storage, credential-capturing webpages hosted on the service are more likely to make it through security protections like Secure Email Gateways due to the reputation of Google and the large base of valid users,” Karl Sigler, senior threat intelligence manager, Spiderlabs at Trustwave, told Threatpost. “The use of cloud infrastructure is rising among cybercriminals in order to capitalize on the reputation and valid uses of those services. They tend to not be immediately flagged by security controls just due to the URL.”
The campaigns were circulating globally, across a range of industries, but the majority of the “hits” have been in Europe and Australia, Sigler said.
“Most of the emails we saw were from late March through the middle of April, but we’ve seen samples as a part of this campaign as far back as February and as recently as mid-May,” he added. “While these tactics of piggy-backing on valid cloud services likely go back to the days those services were invented, this is a current and active trend.”
Major themes for the lures include payment invoices, exhortations to upgrade email accounts, prompts to release pending messages, urging recipients to verify accounts, warnings of account errors, change-password emails and more. In one case, “scammers used the Covid-19 pandemic and internet banking as an excuse to lure the victims into clicking on the fake vendor payment form that leads to the phishing page hosted on Firebase Storage,” according to the analysis.
Overall, the phishing messages are convincing, according to Trustwave, with only subtle imperfections that might tip off potential victims that there’s something wrong, such as a few poor graphics.
“Cybercriminals are constantly evolving their techniques and tools to covertly deliver their messages to unwitting victims,” Abbasi said. “In this campaign, threat actors leverage the reputation and service of the Google Cloud infrastructure to conduct phishing by embedding Google firebase storage URLs in phishing emails.”
Using Google to lend an air of legitimacy is an ongoing trend. Earlier this year, an attack surfaced that uses homographic characters to impersonate Google domain names and launch convincing but malicious websites. And last August, a targeted spearphishing campaign hit an organization in the energy sector – after using Google Drive to get around the company’s Microsoft email security stack. The campaign impersonated the CEO of the targeted company, sending email via Google Drive purporting to be “sharing an important message” with the recipients.
“Again, because of the valid uses and large user base of these services, many of these phishing emails can slip through the cracks of the security controls we put in place,” Sigler added. “Educating users about these tactics helps provide defense-in-depth against these techniques when they hit a victim’s inbox.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.