"New Phishing Campaign Launched via Google Looker Studio"

Security researchers at Check Point have observed threat actors using Google Looker Studio to create fake crypto pages that are then delivered to the intended victims in emails sent from the legitimate tool itself.  The message contains a link to the fake report, claiming to provide the victim with information on investment strategies that would lead to significant returns.  The researchers noted that the recipient is lured into clicking on the provided link, which redirects to a legitimate Google Looker page, hosting a Google slideshow claiming to provide instructions on how the recipient could receive more cryptocurrency.   The victim is then taken to a login page where they are shown a warning that they need to log into their account immediately or risk losing access to it.  This page, however, is designed to steal the provided credentials.  The researcher's analysis shows that the attack manages to pass email authentication checks that prevent spoofing because the sender's IP address is listed as authorized for a google[.]com subdomain.  Furthermore, it passes checks against the tampering with message contents in transit (DKIM) and DMARC protections because these verifications are automatically made for the domain google[.]com, which also leads to no action being taken if the checks fail.  The researchers stated that an email security service will look at all these factors and have a good deal of confidence that it is not a phishing email and that it comes from Google.  The researchers noted that while these protections will likely fail in this attack, the recipients' vigilance might save the day.  The campaign has been ongoing for several weeks.  The researchers informed Google of these attacks on August 22.  

SecurityWeek reports: "New Phishing Campaign Launched via Google Looker Studio"