Check Point Tracks Phishing Attacks Using Google Looker Studio

Check Point Software Technologies has discovered more than 100 cyberattacks involving Google Looker Studio.

Over 10 million people use the Google Looker family of products. New Check Point research found cybercriminals are using Google Looker Studio, Google Docs and Google Slide for advanced phishing attacks. By infiltrating legitimate Google accounts, these criminals are gaining unprecedented access to users’ sensitive data, all while bypassing traditional security filters, and posing a daunting challenge for end users to detect.

Here’s how the attacks work:

• A cybercriminal creates a Google Looker Studio page.
• The cybercriminal uses Google to send a real notification to the targeted victim, asking them to review or comment. Since the notification comes from the legitimate Google account, it’s not caught by security filters.
• The victim clicks through to look at the page, which looks legitimate.
• Embedded within the Google Looker page is a link that redirects the victim to an external page designed to steal their login credentials and crypto-related information.

Jeremy Fuchs, cybersecurity researcher/analyst at Check Point, said hackers are leveraging Google’s authority.

Check Point’s Jeremy Fuchs

“An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google,” he said.

Google Looker Studio Attacks Usually Aimed at Credential Theft

The goal of these attacks is typically stolen credentials, Fuchs said.

“This could be for email or for any other account,” he said. “Some of these attacks include malware, which come in the form of trojans. However, the majority of attacks are looking at stolen credentials.”

Check Point hasn’t yet seen evidence of successful attacks, Fuchs said.

“It’s not Google tools per se, it’s really any tool where something can be created and be sent directly from the service,” he said. “We’ve seen this from PayPal, QuickBooks and more. The idea is that hackers leverage the legitimacy of the site to have any email be sent directly to the inbox. Because of the legitimacy of the site, it goes straight into the inbox. It’s coming directly from the site, so it’s the real deal. That induces end users to click. That makes these attacks very difficult to stop.”

End-user hygiene is key to organizations and individuals protecting themselves, even if it requires more stringent usage from the employee, Fuchs said.

“It’s always a good idea to look at links both in the email, the URL bar and any URL in the page,” he said. “End-users will notice that, on the final page where credentials are stolen, the URL is not from Google. Another good thing to do is take a minute and look at the context. Are you expecting an email from this service? Do you use Google Looker in your daily business activities? Do you use Bitcoin? Taking an extra step and looking at the context of what’s happening can help prevent an errant click or reply.”