Hackers are abusing Google Looker Studio to host fake crypto-credential pages, part of a growing BEC 3.0 campaign. The attackers rely on legitimate Looker Studio infrastructure and social engineering to steal money and credentials from end users. #LookerStudio #BEC3.0
Keypoints
- Hackers use Google Looker Studio to host credential harvesting crypto sites as part of a BEC 3.0 campaign.
- Attack vector is email, targeting any end-user.
- Emails come from Looker Studio and link to a report promoting investments; clicking leads to a login page to steal credentials.
- The page appears legitimate because SPF, DKIM, and DMARC checks pass, leveraging Google’s authority.
- Check Point reports over a hundred such attacks in recent weeks and notified Google on Aug 22.
- Defenses include AI phishing indicators, document/file scanning, and robust URL protection with page emulation; Harmony Cloud Email & Collaboration provides protection.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Attackers send an email containing a link to a Looker Studio report that leads to credential harvesting. ‘This attack starts with an email that comes directly from Google, in this case Google Looker Studio.’
Indicators of Compromise
- [IP Address] Sender IP used in SPF check – 209.85.160.70
- [Domain] Domains involved in authentication checks – data-studio.bounces.google.com, google.com
Read more: https://blog.checkpoint.com/security/phishing-via-google-looker-studio/