As a free online tool, Google Looker Studio allows users to create reports that can be customized with charts, graphs, and other data points. Once users have prepared their report, they can share it with anyone they desire.
It appears that based on our observations, threat actors are using Google Looker Studio to create fake cryptographic pages which are sent to the intended victims in email attachments that are sent from the legitimate tool itself, as part of the observed attacks.
Using a Web-based tool, Google Looker Studio can convert documents - such as slideshows, spreadsheets, etc. - into information. It can be done in several different ways, including charting and graphing data into usable visuals.
Researchers at Check Point have discovered a botnet campaign known as the business email compromise (BEC) campaign that has been operating over the past several weeks. The campaign uses this tool to build crypto-themed pages in an attack that is socially engineered to look like the actual cryptocurrency.
It has been discovered that attackers send emails that appear to come directly from Google, containing links to unverified reports purporting to be useful for cryptocurrency investors, and encouraging them to click on a link to sign in to their accounts to obtain further information about the reports.
There is a link in the message that leads to the fake report which purports to provide all the information the victim needs on investment strategies that can yield significant returns.
This scam solicits the recipient to click on a link provided to them and be taken to a legitimate Google Looker page which displays a Google slideshow which contains instructions on how to receive more cryptocurrencies from the sender.
A message is displayed to the victim as the user is taken to a login page where a warning has been displayed warning them that unless they log into their account immediately they may lose access to it. Nonetheless, this page has been designed with the intent of stealing the credentials users supply. It is common for cybercriminals to embed the URLs of these websites in their phishing emails, as Looker Studio's reputation for being a legitimate and trustworthy company makes them a good target for email security checks.
Using Google's letterhead, the phishing emails appear to originate from Google and claim to have been sent by the tech giant itself. They inform the recipient that they have won approximately 0.75 Bitcoins ($19,200) by joining the firm's cryptocurrency insights and trading strategies program, as part of which they had the opportunity to participate.
Gmail users are encouraged to follow the embedded link to collect their earnings in the e-mail, which otherwise appears to be well-written.
It has been found in Check Point's analysis that because the sender's IP address is listed as authorized for a subdomain located at google.com, the attack can pass email authentication checks that prevent spoofing.
Using Google's authority to bypass email security scans, the attackers were able to bypass the security scans for emails. They employ several techniques such as fooling Sender Policy Frameworks (SPFs), DomainKeys Identified Mail (DKIMs), and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) frameworks to achieve their end.
With these tactics, phishing emails can go undetected since they are associated with the legitimate domain "google.com", giving them the appearance of being legitimate.
Using cryptographic signatures, DomainKeys Identified Mail (DKIM) verifies the integrity and origin of emails with the use of cryptographic signatures.
In the domain-based Message Authentication, Reporting, and Conformance (DMARC), domain owners can specify specific actions that should be taken when an email message fails an SPF authentication check or a DKIM authentication check.
A BEC attack has been a popular phishing method for many years due to its simplicity and effectiveness. Threat actors continuously adjust their strategies and incorporate new technologies into their attacks to make them more convincing.
Check Point researchers recommend that users adopt AI-driven security technologies capable of analysing various phishing indicators to take a proactive approach to combat sophisticated BEC attacks.
Cyberattacks such as Business Email Compromise (BEC) are a form of cybercrime whereby threat actors impersonate employees or business partners, so they can steal money, and sensitive data, or gain unauthorised access to corporate networks by impersonating employees or business partners.
An email sender is verified as authorized by the Sender Policy Framework (SPF), which is a protocol for authenticating emails.
Despite the growing number of attacks, attackers are continually growing their skill set and leveraging new technology to create more convincing and creative attacks that will pique the interest of users and incite them to follow along and give up their credentials to attack lures.
Google Looker Studio is an example of such technology.
The researchers of the Check Point company advise that businesses adopt increasingly common artificial intelligence (AI)-powered security technologies to protect themselves against complex BEC attacks by analyzing and identifying numerous phishing indicators that can be used by hackers to conceal their malicious intent.
The campaign used a legitimate Google app and domain to disguise its malicious intent.
A comprehensive security solution must be implemented for organizations to increase their level of security, Fuchs advised, including document- and file-scanning capabilities as well as URL protection systems that conduct thorough scans of websites and emulate webpages for a higher level of protection.
