Attackers Abuse Google Looker Studio to Evade DMARC, Email Security

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Abuse Google Looker Studio to Evade DMARC, Email Security


Cyberattackers are tapping the legitimacy of the Web-based data-visualization tool in a campaign aimed at stealing credentials and defrauding hundreds of business users.



Cyberthreat actors are abusing Googles Looker Studio data-visualization tool to deliver 
phishing-lure
pages that ultimately steal both money and credentials — and skate by email defenses.
Google Looker Studio is a Web-based tool that converts information — slideshows, spreadsheets, etc . —into visualized data, such as charts and graphs. The 
business email compromise (BEC)
campaign, discovered by researchers at Check Point and active over the last several weeks, uses the tool to build cryptocurrency-themed pages in
a socially engineered
attack. Attackers deliver emails that appear to come directly from Google with links to purported reports that offer strategies for cryptocurrency investing, and encourage users to click on a link to sign in to their account for more info.
Hackers are using social engineering with a Google domain, designed to elicit a user response and hand over credentials to crypto sites, Jeremy Fuchs, cybersecurity researcher/analyst at Check Point, wrote in a recent
blog post
.
If victims take the bait theyre led to a Google Looker page that hosts a Google Slideshow, informing victims about how they can claim more Bitcoin, which uses a sense of urgency to direct users to a login page that steals their credentials.
Check Point researchers have seen more than a hundred attacks that leverage this vector, and have already informed Google of the campaign, they said.
The
attack
works because it can successfully dodge technology that scans incoming emails for malicious activity by leveraging Googles authority to dupe various email authentication protocols, Fuchs explained.
Messages, for instance, fool Sender Policy Framework (SPF) controls by using a sender IP address thats listed as an authorized sender for the domain — that is, data-studio.bounces.google.com. SPF is an email authentication method that is designed to prevent email spoofing by specifying which IP addresses or servers are authorized to send emails for a particular domain.
Messages also pass any flags that would arise by alerting the DomainKeys Identified Mail (DKIM) authentication tool, which uses cryptographic signatures to verify that the emails content has not been altered during transit, and that it actually comes from the domain it says it does. Again, the messages pass inspection by this protocol because they are verified for the legitimate domain google.com, Fuchs wrote.
Further,
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
— a policy framework that allows domain owners to specify what actions should be taken for any emails that fail SPF or DKIM — also passes the messages along because of their association with the google.com domain.
An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google, Fuchs noted, because the attack is nested so deep.
Indeed, SPF, DKIM, and DMARC
have been criticized
by security experts for being too porous for sophisticated email attack vectors because they can only protect users from the threats against which they were designed to protect, making them easy for attackers to circumvent using
cloud-based services
.
BEC attacks, which
emerged about 10 years ago
, remain a popular method of phishing because of their relative simplicity — yet, they remain a highly effective way to get email users to hand over credentials that can provide a payday for cybercriminals.
Attackers continue to hone strategies and leverage new technology — such as Google Looker Studio in this case — to create convincing and creative attacks that will pique user interest and get them to follow along with attack lures to give up credentials.
Because the campaign observed by Check Point uses the legitimate Google app and domain to disguise its malicious attempt, the researchers recommend that enterprises adopt the increasingly common
artificial intelligence (AI)-powered security technology
capable of analyzing and identifying numerous phishing indicators to proactively thwart complex BEC attacks.
Organizations also should deploy a comprehensive security solution that includes document- and file-scanning capabilities, Fuchs advised, and they should employ a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Abuse Google Looker Studio to Evade DMARC, Email Security