According to a research by Menlo Labs, a company that provides cybersecurity solutions, employees at financial services firms in the United States and the United Kingdom are being targeted by a malicious email campaign.
The researchers revealed that cybercriminals are storing malicious payloads on storage.googleapis.com, the domain of the Google Cloud Storage service. The email campaign might have been active in the United States and United Kingdom since August 2018. The victims received emails containing malicious links to archive files, which appears to be genuine and related to Google’s cloud storage service. The research report stated the attackers used two types of payloads to compromise PCs and the endpoints by duping employees into clicking on malicious links.
“The malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products. It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection,” the research noted.
“These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories. To prevent these kinds of blended threats, visibility and correlation across both email and web traffic is essential,” the report added.
Shelker explained the Google’s new step-by-step checkup activates automatically whenever it detects any unauthorized activity and diverts the users to a four-step process: verifying security settings, securing other accounts linked to Google account, checking financial activity to ensure no payment methods connected to the google account weren’t compromised, and reviewing whether any content and files on Gmail or Google drive was compromised.