Google Services: Phishermans (New) Friend


Google is almost synonymous with services that are “free”.

But these services are not only free to use for legitimate users. They also offer a way for malicious actors to turbocharge their phishing campaigns.

These free tools can be used to create realistic-looking phishing pages or websites. They can also be used to install malware or ransomware onto victim’s computers.

Since these Google services are used every day for personal and work-related tasks, these services are impossible to block. It’s the user that is the last (and often only) line of defense against these attacks.

A recent report by cybersecurity firm ArmorBlox takes a look at several recent phishing attacks and how they utilized Google services.

Google Services Used

While you should check out the ArmorBlox report for full details, here’s a quick rundown of the most commonly-used Google services.

Google Firebase

Google Firebase is a developer platform which allows for the creation and management of mobile and web applications.

Since it’s relatively technical and flexible, phishing attacks using Firebase are often challenging to notice. However, this also means that they are less common – most phishing campaigns will use less sophisticated methods (mentioned below).

The easiest way to recognize one is to look in the URL bar – Firebase applications will have a firebasestorage.googleapis.com URL. It seems basic, but if you’re logging into your bank account, make sure you’re actually on your bank’s website!

Google Sites

A simplistic website builder, Google Sites are served from a sites.google.com domain.

These sites aren’t nearly as custom as the Firebase web applications, but they can come close enough to fool an unsuspecting user. Again, making sure to check your browser bar for the sites web address. This will give you a good indication of whether the site is legitimate.

Google Forms

Google Forms is a service that any Google user can use to create free online surveys.

These forms only offer minimal styling, so they can look somewhat “generic” and safe. This can fool an inattentive or unknowing user.

By default, these forms will show up on a docs.google.com URL. However, they can also be embedded into other web pages, so the URL shown in your browser bar can’t be relied on 100%. Since you almost certainly know what a Google Form looks like (and they all mention to never send passwords), if a form looks suspicious, don’t use it!

Google Drive

The most popular service of these four by far.

While Google Drive isn’t often directly used as a way to steal passwords, links within documents can lead to malware.

If you get a Google Drive document which contains external links, make sure you trust the source of the document before you click on any external links.

Phishing Prevention

The easiest way to prevent a phishing attack from being successful is by almost-constant paranoia about links inside your email.

If you get an unexpected email about an online account don’t click any link in that email. Instead, manually enter the web address into your browser, login, and take any requested action that way.

This way you sidestep any harmful link.

Users Matter

The challenge is that no web browser, email service, or IT group will block links to Google’s services.

This means that the detection of phishing or otherwise malicious services comes down to individual users. Just like you were taught to be suspicious of downloading unexpected files – if you get any links that you weren’t expecting, make sure you trust the source before you click on anything!


About Colin Dorman

Colin is a freelance horn player and teacher, as well as a fan of tech of all sorts, aviation, and increasingly complex flight simulators. He also enjoys beer, bourbon and fitness - but not at the same time. You can find him on Facebook, Twitter, as well as right here at ColinDorman.com!