A recent cyberattack campaign has highlighted the abuse of Google’s Looker Studio data-visualization tool by cyberthreat actors. These attackers are using the tool to create phishing-lure pages that trick users into giving up their money and credentials. What makes this attack particularly dangerous is that it can bypass email defenses, putting users at risk.
Google Looker Studio is a web-based tool that converts information into visualized data, such as charts and graphs. In this case, the attackers behind the campaign are using the tool to build cryptocurrency-themed pages in a socially engineered attack. They send emails that appear to come directly from Google, offering strategies for cryptocurrency investing and encouraging users to click on a link for more information.
If victims take the bait and click on the link, they are led to a Google Looker page hosting a Google Slideshow. This slideshow provides information on how users can claim more Bitcoin and creates a sense of urgency to direct users to a login page. Unfortunately, this login page is designed to steal the victims’ credentials, giving the attackers access to their accounts.
Researchers at Check Point have observed over a hundred attacks that leverage this vector, and they have already informed Google of the campaign. The success of this attack lies in its ability to deceive email security scans by leveraging Google’s authority. The attackers use a sender IP address listed as an authorized sender for the domain, fooling Sender Policy Framework (SPF) controls. SPF is an email authentication method that prevents email spoofing by specifying which IP addresses or servers are authorized to send emails for a particular domain.
Additionally, the attackers are able to pass the DomainKeys Identified Mail (DKIM) authentication tool, which verifies the email’s content has not been altered during transit and that it comes from the legitimate domain it claims to be from. The messages also pass inspection by Domain-based Message Authentication, Reporting, and Conformance (DMARC), a policy framework that allows domain owners to specify actions for emails that fail SPF or DKIM. These protocols provide a false sense of security because the messages are associated with the google.com domain.
The use of Google Looker Studio and the legitimacy of the Google app and domain make this campaign particularly effective. To defend against these types of business email compromise (BEC) attacks, Check Point researchers recommend adopting artificial intelligence (AI)-powered security technology capable of analyzing and identifying phishing indicators. This proactive approach can help thwart complex BEC attacks.
In addition to AI-powered security technology, organizations should deploy a comprehensive security solution that includes document- and file-scanning capabilities. It is also crucial to have a robust URL protection system that conducts thorough scans and emulates webpages to enhance security.
BEC attacks have been around for about a decade and remain a popular phishing method due to their simplicity and effectiveness. Cybercriminals continuously refine their strategies and employ new technologies, such as Google Looker Studio, to create convincing and creative attacks. It is essential for individuals and organizations to stay vigilant and employ the necessary security measures to protect themselves from these evolving threats.