Scammers are taking advantage of Google’s Trust Service Verification and the way their App Engine creates unique URLs to host trusted landing pages used in phishing scams.
Ever phishing scammer that needs a website to take their victim to complete the scam or to host a command-and-control server to complete at attack needs that site to be one that security solutions will allow.
It’s one of the reasons some cybercriminals choose to compromise and infect websites owned by legitimate companies, while others choose to create malicious apps hosted with cloud providers like Azure and Google.
Traditionally, once a domain or subdomain has been identified as being malicious by a security solution, it’s game over for the bad guy. The challenge with blocking URLs built using Google’s App Engine is how Google App Engine (hosted on appspot.com) creates the URL names.
Today, the URLs use the following subdomain nomenclature:
Note how values such as version and project ID could vary over time or simply be purposely updated to generate hundreds or even thousands of identical malicious webpages, as was the case when security engineer Yusuke Osumi found over 2000 URLs that all pointed to the same fake Office 365 logon page.
Keep in mind, again, because these are running on Google’s own appspot.com, which is a Google Trusted domain, the pages created under this domain are trusted by everyone and every solution.
This checked the “it’s ok” box for just about every security solution, so it’s up to your users to act as a line of defense, scrutinizing URLs when being sent to what should be a known website. Users that enroll in Security Awareness Training are taught to always be skeptical of web links, requests for credentials, and other common tricks used as part of a phishing scam. Since Google App Engine isn’t doing you any favors, it’s time to do one for yourself with Security Awareness Training.