Check Point Email Security | Blog

Best Buy Spoof Uses Google Storage to Launch Phishing Attack

Written by Jeremy Fuchs | August 11, 2022

Hackers spoof brands all the time. They are usually popular brands, such as Microsoft or Apple.

It’s popular and effective since end-users are used to seeing emails from these companies. When a spoof is done well, it can be difficult to spot.

In this attack, hackers are spoofing Best Buy. Best Buy is another popular spoofed brand. This one is not the most convincing one we’ve seen, as the logos are lacking, and the email isn’t especially convincing. 

What is interesting, however, is the way in which hackers get this spoof into the user’s inbox.

In this attack brief, researchers from Avanan, a Check Point Company, will discuss how threat actors are using Google Storage to host websites that can be used to deploy phishing attacks. 



Attack

In this attack, hackers are using Google Storage to host phishing websites. 

 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Static Expressway
  • Target: Any end-user




Email Example #1

 

In this attack, hackers are trying to spoof Best Buy. They don’t do a tremendous job. Notice how the reply to address is completely off. In the sender field, it should be ‘Best Buy’ not ‘Bestbuy’. The link does not go to a Best Buy page; the address at the bottom is home to a storage unit; Best Buy is headquartered in Minnesota. The link, however, is from a Google Cloud link. Essentially, the hackers have utilized Google’s services to get into the inbox. 

Techniques

Hackers continually leverage legitimate sites to get into the inbox. It has been a theme of many of our recent attack briefs; when hackers can piggyback off established, trusted sites, their attacks are more likely to be seen as legitimate. 

It is perhaps easiest to do this by embedded phishing materials on a trusted page. This includes apps like QuickBooks and PayPal, LucidChart and more. It will have the URL of the legitimate site, so security services will see a known URL and send it to the inbox.

This attack, while not novel, leverages Google Cloud as a hosting site. Most cloud services are legitimate; thus they will be allowed by security services. 

This trend requires security services to rely on more than just static Allow or Block Lists to identify phishing elements in an email. This is where AI and ML come into play. By looking at other factors–sender address, URL, grammar and more–it can be easily deduced that this attack is, in fact, an attack. End-users also play a part. By looking at those telltale signs–like seeing that the reply-to address has “mouse in the house” in the URL, they can make educated decisions.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always hover over any link to see the destination URL before clicking on it
  • Always check sender address to see if it matches the expected sender
  • Encourage end-users to ask IT if the email is legitimate or not
  •