Site icon IT World Canada

Hackers are using Google services to bypass email defence, researchers warn

Threat actors are increasingly using Google services such as Forms, Firebase and Sites to get around email defences that look for suspicious code and URLs, security vendor Armorblox has warned.

In a blog released this morning, the company said infosec pros need to tailor their strategies to prepare for these deceptions, especially if their organization uses free Gmail or GSuite.

Here are several examples of attackers’ tactics Armorblox has seen:

The email link leads to a fake login page hosted on Firebase, Google’s mobile platform that enables users to create apps, host files and images, and serve user-generated content. The parent URL of the fake page – https://firebasestorage.googleapis.com – won’t be blocked by any security filters. The login screen for capturing credentials has the email address of the victim pre-entered into the first field.

Some of these tactics won’t fool a sharp-eyed — and well-trained — person if certain defences are in place. For example, if the corporate email is set up to brand messages as coming from an external (outside the company) source, then staff should realize a message purportedly coming from a colleague or another company department must be malicious.

Still, Armorblox recommends infosec staff, if they haven’t already done so to implement multifactor authentication for email accounts and have staff use an approved password manager, making sure staff don’t use common and insecure passwords; train staff to be careful with emails related to money and data and make sure all existing email security capabilities are enabled. Some security vendors may have products that can spot Google service abuse.

Exit mobile version