A growing attack involving Google Looker Studio is making the rounds. In the last few weeks, we have seen over a hundred of these attacks.
Google Looker Studio is a tool that converts information – slideshows, spreadsheets, etc. – in visualized data such as graphs and charts.
Hackers use it to create fake crypto pages designed to steal money and credentials.
It's another way hackers use legitimate services for what we call BEC 3.0 attacks.
Next, Check Point Harmony email researchers will discuss how hackers use social engineering with a Google domain designed to elicit a user response and hand over credentials to encryption sites.
The attack
In this attack, hackers use Google Looker Studio to host credential harvesting encryption sites.
- Vector: Email
- Type: BEC 3.0
- Techniques: Social Engineering, Credential Harvesting
- Target: Any end user
Example email
This attack starts with an email that comes directly from Google, in this case Google Looker Studio.
Hackers have created a report on Looker Studio. The email has a link to the report, saying that by following these investment strategies, users have seen good returns. To access your account, simply click here.
When clicked, you will be redirected to this page. Again, it's a legitimate Google Looker page.
Here, the hackers hosted a Google Slideshow, telling how you can claim more Bitcoins.
From there, it takes you to a login page designed to steal your credentials.
But first, they make it even more urgent.
To save your account, you must log in immediately.
Then, of course, they steal your credentials
Technical
In the backend, you can see the signatures that Google uses to validate this page.
Let's break it down a bit. Sender Policy Framework or SPF is an email authentication method designed to prevent email spoofing by specifying which IP addresses or servers are authorized to send email for a specific domain.
In this case, the SPF check is passed (spf = pass) because the sender's IP address (209.85.160.70) is listed as an authorized sender for this domain: data-studio.bounces.google.com
Then there is DomainKeys Identified Mail or DKIM. It's another email authentication tool that uses cryptographic signatures to verify that the content of the email hasn't been modified in transit and that it actually comes from the domain it says it does. In this case, the DKIM signature is passed (dkim=pass) and verified for the domain google.com
Next is domain-based or DMARC message authentication, reporting, and compliance. DMARC is a policy framework based on both SPF and DKIM to further improve email authentication. Allows domain owners to specify what actions should be taken for any emails that fail SPF or DKIM. In this case, the DMARC check has passed (dmarc=pass) for the domain google.com and no action is required. This means that no specific actions are taken for failed emails.
This is – we can say – how hackers leverage the power of Google. An email security service will look at all these factors and be almost certain that this is not a phishing email and that it is from Google. Because the attack has such deep foundations, all standard checks will pass with ease.
Now, this requires cooperation on the part of the user, going through all the links and entering the required information. Not all users will. But as we often say, it only takes one successful attack.
Check Point researchers contacted Google to inform them of this campaign on August 22.
Best practices: guidance and recommendations
To protect against these attacks, security professionals can do the following:
- Adopt AI technology capable of analyzing and detecting numerous phishing indicators to proactively prevent sophisticated attacks.
- Adopt a comprehensive security solution that includes document and file scanning capabilities
- Deploy a powerful URL protection system that thoroughly scans and emulates websites for enhanced security
Jeremy Fuchs, cybersecurity researcher/analyst at Check Point Software