We’re not new to Phishing attacks. These are cyber scams where attackers impersonate trusted entities via emails, texts, or calls to trick users into revealing sensitive data like passwords, credit card info, and others. In one such instance, trusted Google Services became the center of a phishing scam campaign once again. It tricks users into clicking on malicious links and giving away their login details.
New phishing scam campaign impersonates trusted Google Services
In a fresh report, cybersecurity researchers from Check Point reveal that scammers sent nearly 9,400 emails, targeting around 3,200 businesses in a span of two weeks. All of these messages were reportedly sent from the email account “ [email protected] .” This means the attackers were abusing Google Cloud Application integration.
For those unaware, this is a managed Google Cloud service that connects applications, APIs, and data sources without needing to write custom code. This allows organizations to automate workflows between cloud services, SaaS apps, and internal systems using prebuilt connectors, triggers, and actions. Emails generated through Google Cloud Application integration originate from Google-owned infrastructure and domains.
In phishing scams, threat actors can create or compromise a Google Cloud project and configure an integration workflow that sends emails via Gmail APIs or other connected email services. In simple terms, this is an abuse, rather than a breach in Google’s infrastructure.
The majority of the victims were in the US
To make the emails more believable, the attackers apparently made sure the messages followed Google’s style, language, and even formatting. These emails lured users with pending voicemail messages or notifications about receiving a document (example of real phishing emails below). The links in these emails lead to storage.cloud.google.com, which is a trusted Google Cloud service. It then redirects to googleusercontent.com, where users need to pass a fake CAPTCHA built to block security scanners.
Finally, the link redirects to a fake Microsoft login page, tricking them into giving away their login details. Attackers capture any credentials users enter in this stage, completing the phishing chain. Reportedly, the majority of the victims were in the US – 48.6%. Around 19.6% of them were working in manufacturing/industrial, 18.9% in technology/SaaS, and 14.8% in finance/banking/insurance. After the US, it was Asia-Pacific (20.7%) and Europe (19.8%).
For what it’s worth, Google told Check Point that “several phishing campaigns” abusing Google Cloud Application integration were already blocked. “ Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse ,” the tech giant reportedly said.
