Attackers Abuse Google Looker Studio to Evade DMARC, Email Security

Cyberthreat actors are abusing Google's Looker Studio data-visualization tool to deliver phishing-lure pages that ultimately steal both money and credentials — and skate by email defenses.

Google Looker Studio is a Web-based tool that converts information — slideshows, spreadsheets, etc . —into visualized data, such as charts and graphs. The business email compromise (BEC) campaign, discovered by researchers at Check Point and active over the last several weeks, uses the tool to build cryptocurrency-themed pages in a socially engineered attack. Attackers deliver emails that appear to come directly from Google with links to purported reports that offer strategies for cryptocurrency investing, and encourage users to click on a link to sign in to their account for more info.

"Hackers are using social engineering with a Google domain, designed to elicit a user response and hand over credentials to crypto sites," Jeremy Fuchs, cybersecurity researcher/analyst at Check Point, wrote in a recent blog post.

If victims take the bait they're led to a Google Looker page that hosts a Google Slideshow, informing victims about how they can claim more Bitcoin, which uses a sense of urgency to direct users to a login page that steals their credentials.

Check Point researchers have seen more than a hundred attacks that leverage this vector, and have already informed Google of the campaign, they said.

Fooling Email Security Scans

The attack works because it can successfully dodge technology that scans incoming emails for malicious activity by leveraging Google's authority to dupe various email authentication protocols, Fuchs explained.

Messages, for instance, fool Sender Policy Framework (SPF) controls by using a sender IP address that's listed as an authorized sender for the domain — that is, data-studio.bounces.google.com. SPF is an email authentication method that is designed to prevent email spoofing by specifying which IP addresses or servers are authorized to send emails for a particular domain.

Messages also pass any flags that would arise by alerting the DomainKeys Identified Mail (DKIM) authentication tool, which uses cryptographic signatures to verify that the email's content has not been altered during transit, and that it actually comes from the domain it says it does. Again, the messages pass inspection by this protocol because they are verified for the legitimate domain google.com, Fuchs wrote.

Further, Domain-based Message Authentication, Reporting, and Conformance (DMARC) — a policy framework that allows domain owners to specify what actions should be taken for any emails that fail SPF or DKIM — also passes the messages along because of their association with the google.com domain.

"An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google," Fuchs noted, "because the attack is nested so deep."

Indeed, SPF, DKIM, and DMARC have been criticized by security experts for being too porous for sophisticated email attack vectors because they can only protect users from the threats against which they were designed to protect, making them easy for attackers to circumvent using cloud-based services.

Defending Against BEC Cyberattacks

BEC attacks, which emerged about 10 years ago, remain a popular method of phishing because of their relative simplicity — yet, they remain a highly effective way to get email users to hand over credentials that can provide a payday for cybercriminals.

Attackers continue to hone strategies and leverage new technology — such as Google Looker Studio in this case — to create convincing and creative attacks that will pique user interest and get them to follow along with attack lures to give up credentials.

Because the campaign observed by Check Point uses the legitimate Google app and domain to disguise its malicious attempt, the researchers recommend that enterprises adopt the increasingly common artificial intelligence (AI)-powered security technology capable of analyzing and identifying numerous phishing indicators to proactively thwart complex BEC attacks.

Organizations also should deploy a comprehensive security solution that includes document- and file-scanning capabilities, Fuchs advised, and they should employ a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security.