Several threat actors are abusing legitimate cloud services to launch phishing attacks against users in Latin America, according to Google’s latest Threat Horizons Report.
One threat actor, tracked as “PINEAPPLE,” impersonated Brazil’s revenue service, Receita Federal do Brasil, to deliver the Astaroth infostealer.
“In one recent campaign blocked by Gmail, PINEAPPLE’s spam emails impersonated Brazil’s finance ministry and directed recipients to a social engineering page mimicking the Brazilian government’s electronic tax document system (Portal da Nota Fiscal Eletrônica),” the researchers write. “The site directed visitors to click a button to view an electronic tax document generated by the system.”
A second threat actor, dubbed “FLUXROOT,” is using Google Cloud to help its phishing URLs avoid detection by security filters.
“Another Latin America-based financially motivated actor, FLUXROOT, has experimented with Google Cloud containers and tested detection rates for Google Cloud URLs in VirusTotal,” the researchers write. “FLUXROOT is known publicly for distributing Grandoreiro banking malware.
In 2023, TAG identified multiple Google Cloud serverless projects being used to harvest credentials for one of Latin America’s largest online payment platforms. Upon discovering the FLUXROOT sites, TAG and Safe Browsing updated detection signatures and added the sites to the Safe Browsing blocklist. “
Google has since taken measures to disrupt both of these campaigns. The researchers note that all legitimate cloud services can be abused by threat actors to easily set up and launch phishing campaigns.
“Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use,” the report says.
“These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment. The security research community has uncovered a wide range of abuse of legitimate serverless infrastructure by malicious actors. This abuse affects all cloud service providers, including Google Cloud, AWS, Azure, CloudFlare, and others.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Google has the story.
Here's how it works:
