Highlight:
Google’s cloud mobile and web application development platform, Firebase, exploited by threat actors.
Trustware has recently discovered new phishing campaigns that utilize schemes. These are the schemes that obtain credentials by playing an opportunist and gaining advantage of “the reputation and services” of Firebase, a Google Cloud mobile and web application development platform.
How does this operate?
The fraudulent emails cut through industries to take control of the Firebase’s data storage API in a Google Cloud Storage bucket and secretly keep malicious URLs in phishing emails, which then direct users to fraudulent pages.
Fahim Abbasi, a researcher at Trustware, spoke about these phishing campaigns in his blog post and mentioned, while these campaigns deployed common phishing baits, the adoption of Google Firebase storage URLs made them look unique and authentic. He added, actors have taken undue advantage of Google’s reputation and cloud infrastructure to carry out phishing credential harvesting pages.
Additionally, Abbasi also presented about nine examples with major themes of the phishing campaigns, which include release pending messages, payment invoice, verify account, upgrade email account, change password, account error, and several other similar to these.
In an elaborate example, Abbasi explained how a fake Microsoft Office 365 phishing email was perfected to look legitimate, complete with the use of the company logo combined with themed colors asking email users to log in and release emails stuck in transit from a server.
Additionally, the Firebase link directs visitors to a themed phishing page that flawlessly appears like official Microsoft login pages.
Abbasi also mentioned a few flaws in the extremely convincing looking phishing emails that come with subtle imperfections such as variation in font and poor quality graphics.
In the wake of the COVID-19 pandemic, threat actors are also luring users by convincing them to click on fraudulent vendor payment forms that lead the victim to the phishing page hosted on Firebase Storage.