Saturday, January 23, 05:08
Home security Google App Engine: Used for phishing campaigns

Google App Engine: Used for phishing campaigns

A researcher security discovered a new technique that shows how Google App Engine can be misused domains for phishing page creation and delivery malware. However, the most worrying thing is that this process can be done without being perceived by the most well-known security products. The Google App Engine is one cloud platform, designed to develop and host web applications on Google servers.

Google App Engine

Phishing campaigns that exploit corporate cloud domains are common. As far as Google App Engine is concerned, however, the problem is mainly with how subdomains are created.

Unlimited subdomains for an application

In most cases, fraudsters use the cloud services to create a malicious application, where a subdomain is assigned. Later, they stay there phishing pages or use the malicious application as a command-and-control (C2) server to deliver malware payload.

However, the structure of URLs is such that it usually allows corporate security products to detect something malicious and block it. For example, a malicious application hosted on services Microsoft Azure can have the structure: https: //example-subdomain.app123.web.core.windows.net /…

An expert security could blocks requests to and from this subdomain, so that users can not visit the dangerous application. This technique would not prevent communication with the others applications Microsoft Azure using other subdomains.

When it comes to Google App Engine, though, things are not so simple.

The security researcher Marcel Afrahim showed how creating a subdomain in the Google App Engine could be used and exploited application infrastructure for malicious purposes without detection.

The domain appspot.com Google, which hosts applications, has the following structure:

VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com

A subdomain, in this case, does not represent just one application, but represents the version of the application, the name service, the project ID and the region ID fields.

However, if any of these fields are incorrect, the Google App Engine will not display a "404 Not Found" page. Instead, it will display the "default" page of the application. This process is called soft routing.

"The requests are received from any version that has been configured for traffic in the targeted service. If the service you are targeting does not exist, the request becomes Soft Routed", Declares Afrahim, adding:"If a request matches the PROJECT_ID.REGION_ID.r.appspot.com section of the hostname, but includes a service or version that does not exist, then the request is routed to the default service, which is essentially the default hostname of the application.".

According to experts, this means that they exist many variations of subdomains that lead a user to malicious attackers. Since each subdomain has a valid "project_ID" field, invalid variants of other fields (as the attackers want) can be used to create multiple subdomains, all of which lead to the same malicious application.

Afrahim showed how the following two URLs, which look different, represent the same application hosted on the Google App Engine.

"Verification by Google Services" means security (?)

The fact that a user can be led to a malicious application from many different subdomains makes the work of sysadmins and experts difficult security trying to block such activities.

Especially for users who do not have much knowledge, subdomains appear as "secure site". In addition, the domain appspot.com and all its subdomains come with its stamp “Google Trust Services”In their SSL certificates, so users consider it really secure. And as with most corporate security solutions, automatically allow traffic to reliable sites, the domain appspot.com Google, wins a tag "Office / Business Applications", Bypassing the control of web proxies.

Phishing

They are already done phishing attacks abusing the Google App Engine

In accordance with Bleeping Computer, the security specialist and the pentester Yusuke Osumi said a phishing page hosted on the appspot.com subdomain took advantage of error analyzed by Afrahim.

Osumi also mentioned 2.000 subdomains created by the phishing application. All subdomains lead to the same phishing page.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!

LIVE NEWS

Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...

Bitcoin helps the middle class survive the pandemic

Regulators still imply that Bitcoin is just a tool for criminals, but it seems that for the middle class ...

Lightworks 2021.1 for Linux, Mac and Windows has been released

Lightworks Professional Multi-Platform Video Editing Software received the first major update to Lightworks 2021.1 for Windows, Linux and Mac.

Netflix: Watch the 9 best Anime movies of all time

One of the good things about the pandemic was that many people were introduced to the anime world. And the issue with anime is ...

CHwapi: Windows BitLocker "hit" the Belgian hospital!

The CHwapi hospital in Belgium was attacked by a cyber attack on January 17, with hackers claiming to have encrypted 40 servers and 100 ...

CPU / GPU Lotteries: Newegg sells the few on the market

Hardware shortages are not uncommon, but the pandemic has worsened the situation. The whole planet is closed to ...