Phishing campaign aimed at stealing Office 365 logins abuses Google Cloud Services

Pierluigi Paganini July 21, 2020

Cybercriminals are increasingly leveraging public cloud services such as Google Cloud Services in phishing campaigns against Office 365 users.

Cybercriminals are increasingly abusing cloud services, such as Google Cloud Services, to arrange phishing campaign aimed at stealing Office 365 logins

Fraudsters use to host phishing pages on multiple cloud services and trick victims into landing on them.

Researchers at Check Point published a report that details a campaign that relied on Google Drive to host a malicious PDF document and Google’s “storage.googleapis[.]com” to host the phishing page.

Using well-known cloud services such as Google Cloud or Microsoft Azure, threat actors could easily bypass defense measures set up by the target organizations.

The attack chains started with a PDF document that was uploaded to Google Drive, and included a link to a phishing page.

The phishing page used in this campaign was hosted on storage.googleapis[.]com/asharepoint-unwearied-439052791/index.html, it was designed to trick victims into providing their Office 365 logins or organization e-mail.

Upon choosing one of the login options, a pop-up window with the Outlook login page is displayed to the victims. Once the credentials were entered, the user is redirected to a real PDF report published by a renowned global consulting firm.

“During all of these stages, the user never gets suspicious since the phishing page is hosted on Google Cloud Storage. However, viewing the phishing page’s source code has revealed that most of the resources are loaded from a website that belongs to the attackers, prvtsmtp[.]com” states the report.

Google phishing

According to the researchers, in more recent attacks crooks started leveraging Google Cloud Functions service, which allows running code in the cloud. Using this technique, attackers can load the resources for the phishing page without revealing their domain.

“Investigating prvtsmtp[.]com showed that it resolved to a Ukrainian IP address (31.28.168[.]4). Many other domains related to this phishing attack resolved to the same IP address, or different ones on the same netblock” continues the report. “

This gave us an insight into the attackers’ malicious activity over the years and allowed us to see how they have been developing their campaigns and introducing new techniques. For example, we saw that back in 2018, the attackers used to host the phishing pages on the malicious websites directly. Later on, and before switching to Google Cloud Storage, the attackers took advantage of Azure Storage to host the phishing pages:”

The discovery allowed the experts to trace the attackers’ activity back to to 2018 when they hosted the phishing pages directly on a malicious website before switching to Azure Storage, and later moving to Google Cloud.

“This incident highlights the efforts that scammers and criminals will make to conceal their malicious intentions, and to trick even security-savvy users.” concludes the report.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Office 365)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment