Check Point Research has uncovered a sophisticated phishing campaign leveraging Google Firebase to host fraudulent pages mimicking legitimate services. By abusing Firebase’s trusted domains (*.web.app or *.firebaseapp.com), attackers evade traditional security filters, increasing the success rate of credential theft. This tactic highlights the growing trend of exploiting reputable platforms for malicious purposes.
Executive Summary (For CISOs)
Attackers are embedding phishing links within compromised email threads, directing victims to Firebase-hosted fake login pages. The campaign primarily targets the U.S. (53%), EU (23%), Middle East (22%), and Asia-Pacific (15%). Key risks include data breaches, financial losses, and reputational damage. Immediate mitigation requires multifactor authentication (MFA) and advanced email security solutions.
Attack Mechanics
Firebase Exploitation
Firebase’s free hosting and SSL-enabled domains provide attackers with a stealthy infrastructure. Examples include cloned Microsoft 365 and DHL login pages. Victims are lured via emails that appear legitimate due to Firebase’s association with Google.
Social Engineering Tactics
Attackers hijack existing email threads from logistics or financial service providers, inserting malicious links like https://[random].web.app/login. This contextual manipulation increases click-through rates.
Detection and Mitigation
For Security Teams (Blue Team/SOC)
Monitor traffic to *.web.app or *.firebaseapp.com domains. Implement SIEM rules to flag anomalous access patterns. Example Splunk query:
index=network (http_host=*web.app OR http_host=*firebaseapp.com)
| stats count by src_ip, http_hostCheck Point Recommendations
1. Enforce MFA for all critical accounts.
2. Deploy advanced email filtering (e.g., Proofpoint).
3. Integrate threat intelligence feeds tracking Firebase abuse.
For Red Teams
Simulate Firebase-based phishing to test organizational resilience. Ethical testing scripts can generate benign Firebase URLs for training:
import random
subdomain = ''.join(random.choices('abcdefghijklmnopqrstuvwxyz', k=10))
print(f"https://{subdomain}.web.app/login")Conclusion
This campaign underscores attackers’ adaptability in exploiting trusted platforms. As noted by Eusebio Nieva, Check Point’s Technical Director for Spain and Portugal: “Combining advanced technology with user education is critical to counter these evolving threats.” Proactive monitoring of unconventional domains and continuous security awareness training are essential defenses.
