Soon, analysts from the Google Threat Analysis Group (TAG) published their report on the incident, in which they said that “government hackers” were responsible for the attack.

According to TAG, the attack came from China, from the networks of four specific providers: ASN 4134, 4837, 58453, and 9394.

The researchers write that 2.54 TB/sec was the culmination of a six-month long campaign against Google, during which attackers used various attack methods and tried to undermine the company’s server infrastructure. It was not reported which services the hackers were targeting.

“Attackers used multiple networks to spoof 167,000,000 packets per second into 180,000 open CLDAP, DNS and SMTP servers, which then sent huge responses to us. This demonstrates the scale that well-resourced criminals can achieve: four times the record 623 GB/s attack carried out by the Mirai botnet a year earlier [in 2016]”, — wrote Google engineers.

It is also worth noting that the incident described by Google surpasses even the attack on Amazon that occurred in February of this 2020, the capacity of which was 2.3 TB/sec. That is, the record for DDoS attacks has once again been broken.

Google experts explain that for a number of reasons they kept the incident secret for several years, but now they decided to make the incident public. The fact is that the Google TAG team wanted to draw attention to the increasing incidence of DDoS attacks from government hackers, as well as to the fact that as the Internet develops, the number and power of such attacks will only continue to increase.

However, since the described attack to date remains the record for maximum throughput, this slightly reduces the confidence in the extrapolation of such statistics.

Let me also remind you about the multifunctional Lucifer malware uses many exploits, is engaged in mining and DDoS attacks.

The post Google revealed the most powerful DDoS attack in history appeared first on Gridinsoft Blog.

Check Point experts warn that earlier this year they discovered a campaign, which was abusing Google cloud services. The scammers have developed an interesting scheme that includes several legitimate elements to hide the theft of credentials. This tactic makes it much more difficult to detect attacks.

The attack begins with the attackers uploading a malicious PDF document to Google Drive. This document contains a link to a phishing page (allegedly, the content is available only through SharePoint and therefore you need to follow the link).

The phishing page itself was hosted at storage.googleapis[.]сom/asharepoint-unwearied-439052791/index.html. There, the user was prompted to sign in with Office 365 or corporate email. When the victim selected one of the login options, an Outlook login pop-up appeared.

Interestingly, after entering the credentials, the user actually received a PDF report from a reputable international company. The researchers write that the victims are unlikely to notice such fraud, because the pages are loaded from supposedly legitimate sources and do not arouse suspicion.

Only a look at the source code of the phishing page shows that most of the resources are downloaded from the cybercriminals’ site prvtsmtp[.]сom.

“It turned out that the attackers are using the Google Cloud Functions service, which allows them to run code in the cloud, and the resources on the phishing page are loaded from Google Cloud Functions without exposing the attackers’ own malicious domains”, — Check Point experts write.

Research has shown that prvtsmtp[.]сom and many other domains associated with this phishing attack resolve to the same IP address (Ukrainian 31.28.168[.]4) and other addresses in this block.

This allowed experts to trace the activity of these attackers back to 2018, when they acted in a similar way: first, they placed phishing pages directly on a malicious site, and then switched to Azure.

“Hackers are attracted to cloud storage services that we often use and trust, making it much more difficult to detect phishing attacks. Traditional “red flags” of phishing attacks, such as similar domains or websites without certificates, will not help us much anymore”, — said Lotem Finkelsteen, a leading threat analyst at Check Point.

Check Point recommends that users of the Google cloud platform, even AWS and Azure users, should be very careful about this trend.

Let me also remind you that GitLab checked its employees: on phishing got every fifth.

Practical steps we can all take to stay protected against these opportunistic attacks are:

• Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
• Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
• Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
• Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity.

Make sure you do not reuse passwords between different app.

The post Google cloud services are used for phishing appeared first on Gridinsoft Blog.