nobeastsofierce - Fotolia
Evasive phishing campaign hid inside Google cloud services
A new report by Check Point Software Technologies revealed attackers were abusing Google Cloud Functions to hide their phishing links within public cloud services.
While threat actors have abused public cloud services in the past, a new phishing campaign has made detection that much harder.
New research by Check Point Software Technologies revealed that attackers using public cloud services to host phishing pages are taking it a step further by taking advantage of advanced services such as Google Drive and Google Cloud Functions. The security vendor this week published a blog detailing the new technique, which they observed in an attack in January.
The attack used a PDF, hosted on Google Drive, that included a malicious link disguised as a Microsoft SharePoint document that asked the user to login with their Office 365 credentials or organization's email. "During all of these stages, the user never gets suspicious since the phishing page is hosted on Google Cloud Storage," Check Point wrote in the blog.
Check Point has observed and reported on the trend of threat actors using public cloud services to host their phishing pages several times over the past year, said Lotem Finklestein, manager of threat intelligence at Check Point. Typical warning signs in a phishing attack include suspicious-looking domains or websites without a HTTPS certificate.
"However, by using well-known public cloud services such as Google Cloud of Microsoft Azure to host their phishing pages, the attackers can overcome this obstacle and disguise their malicious intent, improving their chances of ensnaring even security- savvy victims," Check Point wrote in the blog.
The most recent attack observed by Check Point revealed an even deeper issue for phishing threats that extends beyond the threat of hiding in cloud service providers: the abuse of Google Cloud Functions, which gives users an execution environment for buildings and connecting cloud services.
Finklestein said this is the first time Check Point has detected the use of Google Cloud Functions in a phishing campaign, which he said made the campaign more dynamic and evasive.
"Just by using Functions, they could import different content into their phishing pages and constantly change them," he said. "So if Check Point, or any other security vendor, would detect a specific page then by its form or its structure, then they could quickly change it to evade any protection. By hosting their pages on cloud services, the link and the address of the phishing page is actually Google Cloud Storage or Google Drive, but you get something else that has nothing to do with Google."
For example, the blog details a Microsoft 365 attack that Check Point observed. "In more recent attacks, even sharp-eyed, savvy users might miss this, as the attackers started using Google Cloud Functions, a service that allows the running of code in the cloud. In this case, the resources in the phishing page were loaded from a Google Cloud functions instances without exposing the attackers' own malicious domains," Check Point wrote in the blog.
By doing so, attackers can bypass many security protections such as reputation checks for URLs.
While cloud service providers have added detection features over the years to find and eliminate malicious links lurking within their services, Finklestein said there is not much that Google and other cloud providers can do for this kind of phishing attack. The only way to see the real threat is by analyzing the page's source code, which is how Check Point researchers discovered this particular campaign's malicious URLs.
"Cloud providers can't do much because if they would inspect everything that sits in their platforms, they might violate the privacy of the users," Finklestein said. "Only a small portion of users are threat actors and doing malicious stuff, so I don't think it is [cloud service providers'] job to do that."
Check Point alerted Google to the phishing campaign and the cloud provider blocked all activity and URLs associated with the threat actors, he said.
Phishing campaigns hiding in public cloud services have been detected by other security vendors and threat researchers recently. In July of 2019, Cyren, a SaaS security provider, published a report about the evasion techniques by phishing-as-a-service offerings. According to the report, the tactic of hosting phishing domains on public cloud services has "grown significantly" this year.