In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform.
These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server.
In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent.
As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.
Fig 1: VirusTotal detections for the subdomains
Web.app hosted phishing pages
The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app.
Fig 2: Microsoft login phishing page
Fig 3: SSL certificate page of the hosted phishing URL
Appspot.com hosted phishing pages
Fig 4: Google Drive login phishing page
Fig 5: Outlook login phishing page
Fig 6: Dropbox login phishing page
Fig 7: DocuSign login phishing page
Fig 8: OneDrive login phishing page
Fig 9: OneDrive login phishing page
Fig 10: OneDrive login phishing page
Evasion techniques
This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages.
In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.
Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above.
Fig 11: Source code of phishing page
Fig 12: Source code of phishing page
In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival.
The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files.
Fig 13: Location used by the attacker to collect user credentials
Fig 14: Location used by the attacker to collect user credentials
The following figure shows a sample packet capture for this data being sent to the attacker’s site.
Fig 15: Packet capture for the data that has been sent to the attacker’s site
Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages:
Fig 16: Zscaler successfully detects these domains
Phishing domains
As of the writing of this blog, we have collected the following phishing domains.
uy67dass[.]appspot[.]com
ja8fspxzosaa[.]appspot[.]com
gjf9pxzosa[.]appspot[.]com
egoew023pzas[.]appspot[.]com
vhkad03pas[.]appspot[.]com
kda8gazxa[.]appspot[.]com
adgkao93pz[.]appspot[.]com
l9rwpodsxcs[.]appspot[.]com
cvgfsaz[.]appspot[.]com
jga9spzas[.]appspot[.]com
jjad9gdpxzsa[.]appspot[.]com
vadgka932oa[.]appspot[.]com
ls9ixosdsasa[.]appspot[.]com
qwsa92oozxa[.]appspot[.]com
adlg402ooz[.]appspot[.]com
bnb932psiz[.]appspot[.]com
authofisaiz[.]web[.]app
Telecomm-uk[.]web[.]app
f45ghdsas[.]appspot[.]com
Derr9qepzxas[.]appspot[.]com
Vgdikad9oqww[.]appspot[.]com
dsa3aszxsa[.]appspot[.]com
weotwe0dpa[.]appspot[.]com
Wy6fxsa[.]appspot[.]com
Yu56sdzsa[.]appspot[.]com
Vbhg45as[.]appspot[.]com
Hds9pzoas[.]appspot[.]com
khs9dpas[.]appspot[.]com
u76dfsdasa[.]appspot[.]com
y56fds[.]appspot[.]com
vfhgj3sz[.]appspot[.]com
eyq246ddpoas[.]appspot[.]com
h45dsagga[.]appspot[.]com
sds43dza[.]appspot[.]com
yt76uyhxzz[.]appspot[.]com
jh54dfaz[.]appspot[.]com
ytyfazxz[.]appspot[.]com
Where information is sent
Below are the locations where the phishing page is sending credentials entered by the user.
https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php
https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php
https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php