Businesses around the world are under serious threat from credential phishing campaigns. With the continued growth of cloud technologies, threat actors are finding more and more innovative ways to collect business identification information from victims, which is then used to gain a foothold in the business.
A recent campaign uses Google Firebase storage URLs to collect information from victims. Firebase Storage is supported by Google Cloud Storage and provides secure file downloads and downloads for Firebase applications. URLs are embedded in phishing emails.
Although this campaign currently appears to be low volume, it seems to target certain industries. The main decoys include actions such as increasing the payment bill, upgrading the email account, releasing pending messages, checking the account, changing the password, etc.
A phishing attack
Using the COVID-19 pandemic and Internet banking as a pretext, scammers trick victims into clicking on a fake vendor payment form leading to the phishing page hosted on Firebase Storage.
In another example, a fake account deactivation phishing email is sent to victims, inviting them to click a link that takes them to an Office 365 phishing page hosted on Firebase Cloud Storage.
In later versions of this program, there are also fake bank emails to customers. The fake bank pages are also hosted on Google Firebase cloud storage, where customer / business information is collected by scammers.
The credentials collected as a result of phishing are often used as the initial trigger to launch more advanced attacks. This is another example of scammers exploiting the cloud infrastructure for their phishing attacks.