Phishing via Google Looker Studio

A growing attack involving Google Looker Studio is making the rounds. In the last few weeks, we have seen over a hundred of these attacks.

Google Looker Studio is a tool that converts information – slideshows, spreadsheets, etc. – in visualized data such as graphs and charts.

Hackers use it to create fake crypto pages designed to steal money and credentials.

It's another way hackers use legitimate services for what we call BEC 3.0 attacks.

Next, Check Point Harmony email researchers will discuss how hackers use social engineering with a Google domain designed to elicit a user response and hand over credentials to encryption sites.

The attack

In this attack, hackers use Google Looker Studio to host credential harvesting encryption sites.

  • Vector: Email
  • Type: BEC 3.0
  • Techniques: Social Engineering, Credential Harvesting
  • Target: Any end user

Example email

This attack starts with an email that comes directly from Google, in this case Google Looker Studio.

Hackers have created a report on Looker Studio. The email has a link to the report, saying that by following these investment strategies, users have seen good returns. To access your account, simply click here.

When clicked, you will be redirected to this page. Again, it's a legitimate Google Looker page.


Εδώ, οι χάκερ φιλοσαν ένα Google Slideshow, λέγοντας πώς μπορείτε να διεκδικήσετε περισσότερα Bitcoin.

From there, it takes you to a login page designed to steal your credentials.

But first, they make it even more urgent.


To save your account, you must log in immediately.


Then, of course, they steal your credentials


In the backend, you can see the signatures that Google uses to validate this page.


Ας το αναλύσουμε λίγο. Το Sender Policy Framework ή SPF είναι μια μέθοδος designed to prevent email spoofing by specifying which IP addresses or servers are authorized to send email for a particular domain.

In this case, the SPF check is passed (spf = pass) because the sender's IP address ( is listed as an authorized sender for this domain:

Then there is DomainKeys Identified Mail or DKIM. It's another email authentication tool that uses cryptographic signatures to verify that the content of the email hasn't been modified in transit and that it actually comes from the domain it says it does. In this case, the DKIM signature is passed (dkim=pass) and verified for the domain

Next is domain-based or DMARC message authentication, reporting, and compliance. DMARC is a policy framework based on both SPF and DKIM to further improve email authentication. Allows domain owners to specify what actions should be taken for any emails that fail SPF or DKIM. In this case, the DMARC check has passed (dmarc=pass) for the domain and no action is required. This means that no specific actions are taken for failed emails.

This is – we can say – how hackers leverage the power of Google. An email security service will look at all these factors and be almost certain that this is not a phishing email and that it is from Google. Because the attack has such deep foundations, all standard checks will pass with ease.

Now, this requires cooperation on the part of the user, going through all the links and entering the required information. Not all users will. But as we often say, it only takes one successful attack.

Check Point researchers contacted Google to inform them of this campaign on August 22.

Best practices: guidance and recommendations

To protect against these attacks, security professionals can do the following:

  • Adopt AI technology capable of analyzing and detecting numerous phishing indicators to proactively prevent sophisticated attacks.
  • Adopt a comprehensive security solution that includes document and file scanning capabilities
  • Deploy a powerful URL protection system that thoroughly scans and emulates websites for enhanced security

Jeremy Fuchs, cybersecurity researcher/analyst at Check Point Software The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive of new posts by email.

Written by guest

Guest Post: I saw openly and entered!

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).