Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Phishing attacks abusing appspot.com and web.app domains on Google Cloud

image
KAIVALYA KHURSALE
September 26, 2019 - 4 Lesezeit: Min

In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform.

These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server.

In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent.

As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.

 

Image

Image

Fig 1: VirusTotal detections for the subdomains

 

Web.app hosted phishing pages

The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app.

Image

Fig 2: Microsoft login phishing page 

 

Image

Fig 3: SSL certificate page of the hosted phishing URL

 

Appspot.com hosted phishing pages

Image

Fig 4: Google Drive login phishing page

 

Image

Fig 5: Outlook login phishing page

 

Image

Fig 6: Dropbox login phishing page

 

Image

Fig 7: DocuSign login phishing page

 

Image 

Fig 8: OneDrive login phishing page

 

Image

Fig 9: OneDrive login phishing page

 

Image

Fig 10: OneDrive login phishing page


Evasion techniques

This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages.

In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site. 

Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above.

Image

Fig 11: Source code of phishing page

Image

Fig 12: Source code of phishing page

In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival.

The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files.

Image

Fig 13: Location used by the attacker to collect user credentials 

Image

Fig 14: Location used by the attacker to collect user credentials


The following figure shows a sample packet capture for this data being sent to the attacker’s site. 

Image

Image

Fig 15: Packet capture for the data that has been sent to the attacker’s site

 

Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages:

Image

Fig 16: Zscaler successfully detects these domains 

 

Phishing domains

As of the writing of this blog, we have collected the following phishing domains.

uy67dass[.]appspot[.]com
ja8fspxzosaa[.]appspot[.]com
gjf9pxzosa[.]appspot[.]com
egoew023pzas[.]appspot[.]com
vhkad03pas[.]appspot[.]com
kda8gazxa[.]appspot[.]com
adgkao93pz[.]appspot[.]com
l9rwpodsxcs[.]appspot[.]com
cvgfsaz[.]appspot[.]com
jga9spzas[.]appspot[.]com
jjad9gdpxzsa[.]appspot[.]com
vadgka932oa[.]appspot[.]com
ls9ixosdsasa[.]appspot[.]com
qwsa92oozxa[.]appspot[.]com
adlg402ooz[.]appspot[.]com
bnb932psiz[.]appspot[.]com
authofisaiz[.]web[.]app
Telecomm-uk[.]web[.]app
f45ghdsas[.]appspot[.]com
Derr9qepzxas[.]appspot[.]com
Vgdikad9oqww[.]appspot[.]com
dsa3aszxsa[.]appspot[.]com
weotwe0dpa[.]appspot[.]com
Wy6fxsa[.]appspot[.]com
Yu56sdzsa[.]appspot[.]com
Vbhg45as[.]appspot[.]com
Hds9pzoas[.]appspot[.]com
khs9dpas[.]appspot[.]com
u76dfsdasa[.]appspot[.]com
y56fds[.]appspot[.]com
vfhgj3sz[.]appspot[.]com
eyq246ddpoas[.]appspot[.]com
h45dsagga[.]appspot[.]com
sds43dza[.]appspot[.]com
yt76uyhxzz[.]appspot[.]com
jh54dfaz[.]appspot[.]com
ytyfazxz[.]appspot[.]com

 

Where information is sent 

Below are the locations where the phishing page is sending credentials entered by the user. 

https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php
https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php
https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php
https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php
https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php

 

form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.