Phishing activities pose a real threat to companies around the world. Threatening actors find intelligent and innovative ways to let victims secretly collect their company’s data. Attackers then use these references to gain a foothold in the organization and promote their malware.
Recently we have witnessed a number of unique phishing campaigns aimed at our clients around the world. Although these campaigns used regular phishing counters, their particularity was accepting Google Firebase storage URLs embedded in phishing messages. In essence, players use Google’s reputation and cloud infrastructure services to host their aggregated sites for phishing accounts.
Google Firebase is a platform for the development of mobile and web applications. Firebase storage is supported by Google Cloud Storage and allows you to safely download Firebase files and applications. The Firebase Storage API allows you to store your data in a Google Cloud storage bucket, a high availability redundant storage solution worldwide.
Although this phishing campaign is small-scale, it seems to target a number of sectors and is also detected by our spam traps. Some examples of phishing messages used in this campaign are presented here. The most important points are: an invoice for payment, an account for e-mail updates, messages for the release of delayed messages, an account for verification, account errors, password change, etc.
Figure 1 : Fraudsters use the Covid 19 pandemic and online banking as a pretext to trick victims into clicking on a fake merchant payment form that leads to a phishing site hosted on Firebase Storage.
Figure 2 : Fake Microsoft Outlook works with mailboxes that attract phishing emails with a link to a phishing site in the Firebase store.
Although phishing messages seem quite convincing, they do have some subtle drawbacks, such as font variability and poor graphic quality, etc.
Figure 3 : Disabling a fake email account is a phishing email sent to victims to entice them to click on a link that takes them to the 365 Office Phishing site on Firebase Cloud Storage.
Figure 4 : Fake phishing bait for Microsoft Office 365, which lures the user into a trap by showing him email messages waiting to be sent. When the victim clicks on the link, he/she will be redirected to the 365 Office Phishing page on Firebase Storage.
Figure 5 : Fake Microsoft phishing messages sent to victims to lure them in. Click on the View button to view and release messages that have been quarantined on the mail server. A click on the link will take the victim to a phishing site on the Firebase database repository.
Figure 6 : Desktop 365 phishing message, which asks the victim to release messages stored on the mail server When the victim clicks on the link, he or she is redirected to a phishing site in the Firebase 365 account office.
In the following iterations we have seen the phishing scale expand from fake Microsoft Office 365 email to fake bankmail, as shown in the graph below.
Figure 7 : Fake phishing e-mail from the Bank of America. When the victim clicks on the link, he/she will be redirected to a phishing site in the 365 accounts office of the Firebase store.
Here you can see the final phishing destinations for accounts hosted on the Google cloud storage platform and accessible via Firebase storage URLs. Most of these sites are variants of the phishing sites of Microsoft Outlook and Office 365, which are mainly used to collect business data.
Figure 8 : A fake destination site for phishing Microsoft Office 365 accounts hosted in Google’s cloud storage and accessible via Firebase storage URLs.
Figure 9 : A fake Microsoft Outlook account that sets up a phishing site with references hosted on Google’s cloud storage and accessible via Firebase storage URLs.
Figure 10 : A fake roundcube webmail account phishing site hosted in Google’s cloud storage and accessible via Firebase storage URLs.
Figure 11 : A fake Bank of America phishing site hosted by Google to collect information about the victim.
Phishing is a real threat to both companies and individuals. Cybercriminals are constantly improving their methods and tools to secretly deliver their messages to unknowing victims. Evidence of a phishing attack is often used as a starting point for various types of advanced attacks. In this campaign, threaters use Google’s reputation and cloud infrastructure service to launch phishing attacks by embedding the URLs of Google’s firewall store in phishing emails. This campaign is another example of how the bad guys use the cloud infrastructure to host their phishing sites.
The Trustwave Secure Email Gateway (SEG) detects these phishing messages. We advise all users to be careful before clicking on URLs and to check their browser’s address bar before sending login details to any form of connection.
- hxxps://firerebasestorage[.]googleapis[.]com/v0/b/quartry943499943442.appspot.com/o/index.html?alt=media&token=f9fac252-84eb-4a37-b20c-eba25a81ccd1#[email protected]
- hxxps://firerebasestorage[.]googleapis[.]com/v0/b/upgradeaccoun.appspot.com/o/roundcube%2Fcn%2Findex2ajax.html?alt=media&token=4440a1ce-711c-4735-9261-2c3239b975e5&[email protected]
- hxxps:// fire-basestorage[.]googleapis[.]com/v0/v0/b/greatwebmails.appspot.com/o/mndaass%2Findex.html? alt=media&token=1c5e6903-1a39-45a8-a269-e1f7f8ae5a58# [email protected]
- hxxps://firerebasestorage[.]googleapis[.]com/v0/b/auth20-outlook.appspot.com/o/ind.htm? alt=3Dmedia&token=3D 4b-271e-4be8-be2d-c30401587782#[email protected]
- hxxps://firerebasestorage[.]googleapis[.]com/v0/b/office-8d703.appspot.com/o/ind.htm?alt=3Dmedia&token=3Dbbcdd20c-bc6e-46fe-ac1b-5c7c8cdd0123#[email protected]
- hxxps://firerebasestorage[…]googleapis[…]com/v0/b/webmail-a660b.appspot.com/o/indexobf.html? alt=media&token=b21c31dd-25f6-45bb-89dd-397bc695b65f