Attackers are using legitimate Google infrastructure to target victims in a new wave of phishing campaigns. Free developer accounts on Google Firebase are being used by scammers to send phony emails that successfully get past conventional security measures. The Attack's Mechanism One popular platform for creating web and mobile applications is Google Firebase.

It provides a "free tier" that lets developers host small projects and test code for free. Phishing website (source: Twitter) According to PaloAlto Network, cybercriminals are now creating these free accounts in order to send emails and host phishing content. The emails have a high domain reputation since they come from subdomains that end in firebaseapp.com, a domain linked to Google's reliable infrastructure.

This makes it possible for the malicious emails to bypass spam blocklists and reach the victim's primary inbox. Phishing website (source: Twitter) Fear and greed are the two main psychological triggers used by the campaign to control its victims. Scare Tactics: A large number of the detected emails pose as well-known companies or banks.

They urge the victim to click a link right away in order to fix a fictitious security issue by sending urgent alerts about "fraudulent account use." High-Grade Attractions: Other emails, on the other hand, lure users in with offers of exclusive giveaways or free, valuable goods. Under the pretense of sending a prize, these are made to steal private information, like login credentials or credit card numbers. Compromise Indicators (IOCs) Certain patterns in the sender addresses were brought to light by the investigation.

Random alphanumeric strings linked to the Firebase domain are frequently used in these addresses. Examples of observed senders are noreply@pr01-1f199.firebaseapp[. ]com and noreply@pro04-4a08.a.firebaseapp[.

]com noreply@zamkksdjauys.firebaseapp[. ]com When a user clicks the email's call-to-action button, they are taken to the final phishing page via a variety of compromised websites or URL shorteners. URLs like hxxps[:]//rebrand[. ]ly/auj0ngh hxxp[:]//clouud.thebatata[.]org/click[.]php?

hxxps[:]//www.servercrowdmanage[. ]com/5N98X9F/21NRJNSZ/ have been found to contain malicious redirect chains. This campaign serves as an example of how attackers are "living off the land" by disguising malicious activity through trusted services. Traffic from firebaseapp.com subdomains that do not correspond with known business applications should be closely monitored by security teams.

Even if the technical sender address seems to be hosted on a trustworthy platform, users should be on the lookout for unsolicited emails requesting immediate action.