Organisations worldwide are under serious threat from credential phishing campaigns. With the continuing growth of cloud technologies, threat actors are finding more and more innovative ways to harvest victims’ company credentials, which are then used to gain a corporate foothold.
A recent campaign uses Google Firebase storage URLs to harvest the victims’ information. Firebase Storage is backed by Google Cloud Storage and provides secure uploads and downloads of files for Firebase apps. The URLs are embedded in the phishing emails.
While this campaign appears low in volume at the moment, it appears to target certain industries. The major lures include actions such as raising payment invoice, upgrading email account, releasing pending messages, verifying the account, changing password and more.
Using the COVID-19 pandemic and internet banking as a pretext, scammers lure the victims into clicking on a fake vendor payment form leading to the phishing page hosted on Firebase Storage.
In another example, a fake account deactivation phishing email is sent to victims, prompting them to click a link which takes them to an Office 365 phishing page hosted on Firebase Cloud Storage.
In subsequent iterations of this scheme, there are also fake bank emails to customers. The fake bank pages are also hosted on Google Firebase cloud storage, where customer/company information is harvested by scammers.
Credentials harvested as a result of phishing are often used as an initial trigger for launching more advanced attacks. This is another example of scammers leveraging cloud infrastructure for their phishing attacks.