Here's How Hackers Are Using Google Firebase Storage URLs to Scam People

For cybercriminals, the act of stealing users' login credentials or infecting them with malware is nothing more than business, and like any business, it presents its own set of challenges. Hackers are constantly trying to optimize their illegal operations and make them more effective. In an attempt to do that, phishing crews started using Google Firebase URLs in recent campaigns observed by researchers from Trustwave.

Phishers abuse Google’s Firebase platform to harvest login credentials

Firebase is a development platform for mobile and web applications that was acquired by Google in 2014, and it's now directly linked to the search engine giant's massive cloud storage infrastructure. The crooks realized that this makes it perfect for storing phishing pages.

According to Trustwave's researchers, the phishers have impersonated a number of different service providers and have created a number of scenarios in their emails. The goal, however, is always the same – tricking users into clicking a link in the email and leading them to a phishing page that is hosted on Firebase.

Convincing emails can catch many users off-guard

The phishers have put a lot of effort into the emails. One of the first things you can notice from the examples Trustwave posted is the distinct lack of grammatical and spelling errors that we often associate with phishing campaigns. As the researchers pointed out, the fonts and formatting are not perfect in some places, but the crooks apparently hope that their social engineering tricks will be strong enough to compensate for this.

Indeed, some of the scenarios are quite believable. As we mentioned already, the phishers aren't impersonating a single service provider, and they're not targeting a single set of users. That being said, the majority of emails appear to be aimed at employees of organizations of various sizes.

Microsoft's name is used quite extensively throughout the campaigns. In some of the attacks, the crooks try to convince the user that some emails have not been delivered because of a server migration. In others, the victim is told that certain incoming messages might have been flagged as spam erroneously and should be reviewed. In yet another campaign, the user is urged to upgrade their account so that they can use a new version of the webmail portal.

The coronavirus pandemic has also been used. One of Trustwave's screenshots shows that the crooks are trying to impersonate the accountants of the victim's employer. The user is told that they need to fill in a payment form in order to receive an outstanding payment related to the work-from-home directive. Of course, many would be able to poke holes through the scenarios dreamt up by the hackers, but it's not difficult to see how inexperienced and less tech-savvy users might fall for the scam.

Why did the crooks pick Firebase?

The remarkable characteristic of these campaigns is not the social engineering, but the use of Firebase, though. Cybercriminals often host their phishing pages on websites that they compromise beforehand. That way, they don't need to register new domains or think about setting up servers that will host the malicious login forms. Hacking a website isn't necessarily easy, though, and often, it's simply not worth the effort. As soon as security products detect malicious activity on the compromised website, the entire domain can be blacklisted, and the whole campaign could end prematurely.

By using Firebase, the phishers are taking direct advantage of Google's cloud infrastructure and its reputation. The spam filters are less likely to put Firebase URLs under direct scrutiny, and even if one page gets reported and removed, the crooks can set up another one with relative ease.

All in all, it looks like the cybercriminals have found a new way of making their attacks more streamlined and effective, and it's up to Google to counteract. Keeping criminals out of its platforms is not something new for the search engine colossus. Its experts now need to focus on Firebase as well, though.