Site icon Check Point Blog

Phishing via Google Looker Studio

A burgeoning attack involving Google Looker Studio is making the rounds. In the last few weeks, we’ve seen over a hundred of these attacks.

Google Looker Studio is a tool that converts information—slideshows, spreadsheets, etc—into visualized data, such as charts and graphs.

Hackers are utilizing it to create fake crypto pages that are designed to steal money and credentials.

It’s another way that hackers are utilizing legitimate services for what we call BEC 3.0 attacks.

In this attack brief, Check Point Harmony email researchers will discuss how hackers are using social engineering with a Google domain, designed to elicit a user response and hand over credentials to crypto sites.

Attack

In this attack, hackers are utilizing Google Looker Studio to host credential harvesting crypto sites.

Email Example

This attack starts with an email that comes directly from Google, in this case Google Looker Studio.

Hackers have created a report within Looker Studio. The email has a link to the report, saying that by following these investment strategies, users have seen a nice return. To access your account, just click here.

When you click, you’ll be redirected to this page. Again, it’s a legitimate Google Looker page.

Here, the hackers have hosted a Google Slideshow, saying how you can claim more Bitcoin. From there, it goes to a login page that is designed to steal your credentials. But first, they give you even more urgency.

In order to save your account, you have to login immediately.

Then, of course, your credentials are stolen.

Techniques

In the backend, you can see the signatures that Google uses to legitimize this page.

Let’s break this down a little bit. Sender Policy Framework, or SPF, is an email authentication method that is designed to prevent email spoofing by specifying which IP addresses or servers are authorized to send emails for a particular domain.

In this case, the SPF check has passed (spf=pass) because the sender’s IP address (209.85.160.70) is listed as an authorized sender for this domain: data-studio.bounces.google.com

Then, there’s DomainKeys Identified Mail, or DKIM. It’s another email authentication tool that uses cryptographic signatures to verify that the email’s content has not been altered during transit, and that it actually comes from the domain it says it does. In this case, the DKIM signature has passed (dkim=pass) and was verified for the domain google.com

Next is Domain-based Message Authentication, Reporting, and Conformance, or DMARC. DMARC is a policy framework that builds on both SPF and DKIM to further enhance email authentication. It allows domain owners to specify what actions should be taken for any emails that fail SPF or DKIM. In this particular case, the DMARC check has passed (dmarc=pass) for the domain google.com, and the action specified is none. That means that no specific action is taken for failed emails.

This is a long way of saying that hackers are leveraging Google’s authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google. And it does! Because the attack is nested so deep, all the standard checks will pass with flying colors.

Now, this does require cooperation on the part of the user, to go through all the links and enter the required information. Not every user will do that. But as we say often, it just takes one successful attack.

Check Point researchers reached out to Google to inform them of this campaign on August 22.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

Check Point Customer remain protected against the threats described on this blog while using Harmony Cloud Email & Collaboration Security.

Harmony Email & Collaboration provides complete protection for Microsoft 365, Google Workspace and all your collaboration and file-sharing apps. Email & Collaboration is designed specifically for cloud email environments and is the ONLY solution that prevents, not just detects or responds to, threats from entering the inbox.

Exit mobile version