Phishing attacks hiding in Google Cloud to steal Microsoft account credentials

By hosting phishing pages at a legitimate cloud service, cybercriminals try to avoid arousing suspicion, says Check Point Research.

phishing

Image: Getty Images/iStockphoto

Phishing campaigns often attempt to evade detection not only by impersonating well-known companies and brands but by storing their malicious content on a legitimate website. The idea is that such phishing pages will better elude detection by security products and more easily ensnare unsuspecting victims. A recent phishing attack analyzed by cyber threat intelligence provider Check Point Research is using Google Cloud services to conceal its malicious intent.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic) 

In a blog post published Tuesday, Check Point found that this particular campaign kicks off by uploading a PDF file to Google Drive. Built to resemble a Microsoft SharePoint notice, the PDF contains a link to Access Document, which takes the user to the actual phishing page.

This phishing page is hosted on a domain called storage.googleapis.com, a site that's often exploited by hackers for phishing campaigns and other malware. Using the name and branding of SharePoint Online, the phishing page asks the user to sign in with their Office 365 credentials or their organization's ID. Choosing either option takes the person to a popup login window prompting them to log in with their Microsoft Outlook email and password.

After signing in, the user is shown an actual PDF report published by a global consulting firm. This last piece gives people the impression that they've signed into a legitimate service through which they've received useful or valuable information.

phishing-scam-google-cloud-check-point.jpg

Image: Check Point Research

Through the entire journey from the initial PDF document to the final PDF report, the campaign appears to be convincing, especially because the phishing page is hosted on Google Cloud. Exploiting cloud services this way has become a more popular tactic among cybercriminals. Because such services typically are used for legitimate purposes, both victims and security administrators have trouble identifying and catching these attacks.

In this case, however, Google learned of and suspended this project for phishing abuse in January 2020. The URL was taken offline as were all URLs associated with the campaign.

To protect your organization from these types of phishing attacks, Check Point offers the following tips for users and for security administrators:

For users

  1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  2. Be cautious with files received via email from unknown senders, especially if they prompt you for a certain action you would not usually perform.
  3. Ensure that you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails. Instead, search for your desired retailer and click the link from the Google results page.
  4. Beware of "special" offers.
  5. Do not reuse passwords between different applications and accounts.

For administrators

  1. Prevent zero-day attacks with end-to-end cyber architectures.
  2. Block deceptive phishing sites.
  3. Provide alerts on password reuse in real time.
  4. Remember that your users' mailboxes are the front door into your organization, so consider using email security measures as well.

Also see