Samples of phishing pages that have been used in this campaign.Īlthough some of the phishing pages used in these attacks are relatively basic and primitive, even these pages can target users in services such as AOL, Gmail, Box, Dropbox, Yahoo!, OneDrive, Office 365, Outlook, DocuSign, and even university and bank accounts.
As a result, the attacker can hide their malicious activities inside credible web traffic and use it to bypass these firewall of online services.įigure 2. and do not identify any sensitivity toward trusted services. In normal circumstances, the automatic defence systems of online service providers use an allow list to identify the address of legitimate services such as Dropbox, Google Drive, etc. Weaponizing third-party services instead of hosting malicious webpages is a new trend amongst cybercriminals, and it can be described as one of the low-cost and popular techniques of cyber attack among hackers.įor example, this method allows attackers to use the website address (URL) of GSC in order to evade the anti-spam/malware systems of email service providers. According to our investigation, this campaign is a part of a mass-distributed general phishing campaign and there is no evidence to confirm these cases are a part of a targeted attack or related to some special hacking group. The issue has increased significantly since the beginning of 2019, and we have identified more than 100 cases of GCS targeting users of various services in the first week of May 2019.
Our recent research in Certfa Lab shows that hackers are using Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on other websites.