New Phishing Lure: using Google Looker

12223227086?profile=RESIZE_400xCybersecurity investigators are warning of a new type of phishing attacks that abuse Google Looker Studio to bypass protections.  Google Looker Studio[1] is a legitimate online tool for creating customizable reports, including charts and graphs that can be easily shared with others.  Looker Studio, formerly Google Data Studio, is an online tool for converting data into customizable informative reports and dashboards introduced by Google on 15 March 2016 as part of the enterprise Google Analytics 360 suite.[2]

As part of the observed attacks, threat actors are using Google Looker Studio to create fake crypto pages that are then delivered to the intended victims in emails sent from the legitimate tool itself.  The message contains a link to the fake report, claiming to provide the victim with information on investment strategies that would lead to significant returns.

The recipient is lured into clicking on the provided link, which redirects to a legitimate Google Looker page, hosting a Google slideshow claiming to provide instructions on how the recipient could receive more cryptocurrency.  The victim is then taken to a login page where they are shown a warning that they need to log into their account immediately, or risk losing access to it.  This page, however, is designed to steal the provided credentials.

The recent analysis shows that the attack manages to pass email authentication checks that prevent spoofing because the sender’s IP address is listed as authorized for a google.com subdomain.  Since it passes checks against the tampering with message contents in transit (DKIM) and DMARC protections because these verifications are automatically made for the domain google.com, which also leads to no action being taken if the checks fail.

This is a long way of saying that hackers are leveraging Google’s authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google.  And it does! Because the attack is nested so deep, all the standard checks will pass with flying colors.

The researchers note that, while these protections will likely fail in this attack, the recipients’ vigilance might save the day.  The campaign has been ongoing for several weeks. Google was informed of these attacks on 22 August 2023.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting:    https://www.redskyalliance.org/
Website:       https://www.redskyalliance.com/
LinkedIn:      https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

 

 

[1] https://lookerstudio.google.com/u/0/navigation/reporting 

[2] https://www.securityweek.com/new-phishing-campaign-launched-via-google-looker-studio/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!