Phishing Attacks Can Come from an Unlimited Number of Trusted Phishing Sites Thanks to Google App Engine



Phishing Attacks Google App EngineScammers are taking advantage of Google’s Trust Service Verification and the way their App Engine creates unique URLs to host trusted landing pages used in phishing scams.

Ever phishing scammer that needs a website to take their victim to complete the scam or to host a command-and-control server to complete at attack needs that site to be one that security solutions will allow.

It’s one of the reasons some cybercriminals choose to compromise and infect websites owned by legitimate companies, while others choose to create malicious apps hosted with cloud providers like Azure and Google.

Traditionally, once a domain or subdomain has been identified as being malicious by a security solution, it’s game over for the bad guy. The challenge with blocking URLs built using Google’s App Engine is how Google App Engine (hosted on appspot.com) creates the URL names.

Today, the URLs use the following subdomain nomenclature:

VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com

Note how values such as version and project ID could vary over time or simply be purposely updated to generate hundreds or even thousands of identical malicious webpages, as was the case when security engineer Yusuke Osumi found over 2000 URLs that all pointed to the same fake Office 365 logon page.

Keep in mind, again, because these are running on Google’s own appspot.com, which is a Google Trusted domain, the pages created under this domain are trusted by everyone and every solution.

That’s bad.

This checked the “it’s ok” box for just about every security solution, so it’s up to your users to act as a line of defense, scrutinizing URLs when being sent to what should be a known website. Users that enroll in Security Awareness Training are taught to always be skeptical of web links, requests for credentials, and other common tricks used as part of a phishing scam. Since Google App Engine isn’t doing you any favors, it’s time to do one for yourself with Security Awareness Training.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Topics: Phishing

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews