Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Google Cloud projects are being hijacked for phishing campaigns

Google Cloud - Editorial Only.

Multiple hacking collectives in Latin America were observed abusing Google Cloud’s infrastructure in their phishing attacks, the company has confirmed. 

In its biannual Threat Horizons Report, Google said at least two threat actors, FLUXROOT and PINEAPPLE, abused Google Cloud as part of their infrastructure. 

FLUXROOT was running a phishing campaign to steal login credentials for Mercado Pago, a popular online payments platform for the Latin America region. In its campaign, the threat actor was using Google Cloud container URLs to host the phishing pages, the company said.

PINEAPPLE and Astaroth

"Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its writeup. "These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment."

Previously, FLUXROOT was seen distributing the Grandoreiro banking trojan.

PINEAPPLE, on the other hand, was using Google Cloud to distribute Astaroth (AKA Guildma), a popular infostealer malware.

"PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create container URLs on legitimate Google Cloud serverless domains such as cloudfunctions[.]net and run.app," Google explained. "The URLs hosted landing pages redirecting targets to malicious infrastructure that dropped Astaroth."

In response to these campaigns, the company took down the malicious Google Cloud projects, and updated its Safe Browsing list. 

"Threat actors take advantage of the flexibility and ease of deployment of serverless platforms to distribute malware and host phishing pages," the company concluded. "Threat actors abusing cloud services shift their tactics in response to defenders' detection and mitigation measures."

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.