A researcher security discovered a new technique that shows how Google App Engine can be misused domains for phishing page creation and delivery malware. However, the most worrying thing is that this process can be done without being perceived by the most well-known security products. The Google App Engine is one cloud platform, designed to develop and host web applications on Google servers.
Phishing campaigns that exploit corporate cloud domains are common. As far as Google App Engine is concerned, however, the problem is mainly with how subdomains are created.
Unlimited subdomains for an application
In most cases, fraudsters use the cloud services to create a malicious application, where a subdomain is assigned. Later, they stay there phishing pages or use the malicious application as a command-and-control (C2) server to deliver malware payload.
However, the structure of URLs is such that it usually allows corporate security products to detect something malicious and block it. For example, a malicious application hosted on services Microsoft Azure can have the structure: https: //example-subdomain.app123.web.core.windows.net /…
An expert security could blocks requests to and from this subdomain, so that users can not visit the dangerous application. This technique would not prevent communication with the others applications Microsoft Azure using other subdomains.
When it comes to Google App Engine, though, things are not so simple.
The security researcher Marcel Afrahim showed how creating a subdomain in the Google App Engine could be used and exploited application infrastructure for malicious purposes without detection.
The domain appspot.com Google, which hosts applications, has the following structure:
A subdomain, in this case, does not represent just one application, but represents the version of the application, the name service, the project ID and the region ID fields.
However, if any of these fields are incorrect, the Google App Engine will not display a "404 Not Found" page. Instead, it will display the "default" page of the application. This process is called soft routing.
"The requests are received from any version that has been configured for traffic in the targeted service. If the service you are targeting does not exist, the request becomes Soft Routed", Declares Afrahim, adding:"If a request matches the PROJECT_ID.REGION_ID.r.appspot.com section of the hostname, but includes a service or version that does not exist, then the request is routed to the default service, which is essentially the default hostname of the application.".
According to experts, this means that they exist many variations of subdomains that lead a user to malicious attackers. Since each subdomain has a valid "project_ID" field, invalid variants of other fields (as the attackers want) can be used to create multiple subdomains, all of which lead to the same malicious application.
Afrahim showed how the following two URLs, which look different, represent the same application hosted on the Google App Engine.
"Verification by Google Services" means security (?)
The fact that a user can be led to a malicious application from many different subdomains makes the work of sysadmins and experts difficult security trying to block such activities.
Especially for users who do not have much knowledge, subdomains appear as "secure site". In addition, the domain appspot.com and all its subdomains come with its stamp “Google Trust Services”In their SSL certificates, so users consider it really secure. And as with most corporate security solutions, automatically allow traffic to reliable sites, the domain appspot.com Google, wins a tag "Office / Business Applications", Bypassing the control of web proxies.
They are already done phishing attacks abusing the Google App Engine
Osumi also mentioned 2.000 subdomains created by the phishing application. All subdomains lead to the same phishing page.