The ‘Google App Engine’ Could Be to Blame for Stealthy Phishing Attacks

By Bill Toulas / September 21, 2020

Security researcher Marcel Afrahim has discovered a novel technique that involves the abuse of Google’s App Engine domains to support the operations of phishing or malware campaigns without running the risk of detection. Malicious actors are always looking for possible ways to abuse legitimate and widely trusted cloud service, hosting, and engine vendors, and this case is precisely of this type.

According to the researcher’s report, the issue lies in the way that the Google App Engine generates and handles subdomains. More specifically, a subdomain created with the Google App Engine can represent an app version, the service name, the project ID, the region ID, etc.

When something goes wrong, instead of serving a 404 error, a soft-routing procedure is initiated, redirecting the default page. By abusing this system, one can create many malicious subdomains that always route to the default app page.

legit domain


This creates two distinct problems. First, reporting abuse on a set of these subdomains won’t do much against the actors. Secondly, blocking all malicious subdomains is practically impossible since the URL structures weren’t developed in a way that permits such close-up monitoring and controlling.

av fail


Even if someone was to deploy bots and sophisticated blocking tools, differentiating between the “PROJECT_ID” and “VERSION” URLs would be impossible, let alone the fact that these URLs would be generally considered trustworthy by most security solutions out there.

So, essentially, one could have a large number of URLs, which are all trusted, leading to malware payloads through soft-routing. If the actor was to deploy a Google Drive phishing kit instead of planting malware, they could steal people’s credentials this way.

To make matters worse, phishing actors appear to know all that already, as the security flaw is currently being under active exploitation. The actors are using random characters prefixed to the hostnames, so the process of phishing email distribution is fully automated and quite successful.

Again, reporting these URLs won’t stop the actors, so the only way to plug this hole is to change the way Google’s App Engine works and prevent its abuse.

Read More:

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: