Financially motivated hackers in Latin America, known as Fluxroot, have been identified for using Google Cloud projects to carry out phishing attacks aimed at stealing accounting data. This highlights the misuse of cloud computing for malicious purposes.
According to a report by Google, the flexible, cost-effective, and user-friendly nature of Google’s supportive architecture is attractive to both legitimate enterprises and cyber attackers. These characteristics make it easy for hackers to deliver and interact with their harmful software, redirect users to phishing pages, and execute malicious scripts tailored for a supportless environment.
Fluxroot utilized Google Cloud URL containers within the Google Cloud framework to trick users into divulging their credentials on the Mercado Pago online platform in Latin America.
Notably, Fluxroot is infamous for distributing the Banking Trojan Grandoreiro, and they previously used Microsoft Azure and Dropbox cloud services to distribute their malicious software.
Besides Fluxroot, another hacker group named PineApple also leveraged Google Cloud infrastructure to disseminate the malicious Astaroth (Guildma) targeting Brazilian users. PineApple created URL containers on legitimate Google Cloud domains, such as Cloudfunctions[.]net and Run.App, to direct victims to malicious resources for Astaroth infections.
In their attempts to evade mail gateway protections, attackers utilized mail delivery services that did not filter out messages with SPF failures or manipulated the SMTP protocol to create DNS request timeouts and induce Authentication Authentication Confusion.
Google has taken actions to mitigate hacker activity by removing malicious Google Cloud projects and updating their safe browsing lists. The exploitation of cloud services by hackers underscores the widespread adoption of cloud technologies across industries.