Unlimited phishing pages through Google App Engine

October 11, 2020
unlimited phishing pages google app engine antiphishing soft routing

The latest discovered technique that can be abused to create and deliver phishing pages and financial malware while avoiding leading enterprise-grade security products was found by a cybersecurity researcher using Google App Engine domains.

Google App Engine is a cloud service platform for developing and deploying web applications on Google’s servers.

There are phishing campaigns that leverage enterprise cloud domains, so the technique is not new. So, the factor that made Google App Engine infrastructure a significant risk is how subdomain is generated and routed.

Usually, these cyber scammers would use cloud services and hosting to create applications embedded with malicious scripts. They also host phishing pages and use C2 (Command and Control) servers as the source, recipient, or destination URL of the malware payload. The typical URL structures are generated in a manner that is easy to filter, block, and monitor by enterprise-grade malware scanners and security products whenever the need arises. A cybersecurity administrator or profession could control a particular application’s access and network traffic coming from a subdomain.

In the situation of Google App Engine, it has become a bit more complicated.

A researcher has demonstrated the use of Google’s appspot.com domain, which hosts the app engine’s apps. The app’s typical URL structure represents the apps Version, Service Name, Project ID, and Region ID – ‘VERSION – dot – SERVICE – dot – PROJECT_ID.REGION_ID.r.appspot.com’. The most critical to note here is that whenever a field on the URL structure is typed incorrect, Google App Engine will display the app’s default page, a networking concept called Soft Routing.

Ultimately this means that there can be many permutations of subdomains to get to the attacker’s malicious hosted application. The variation of invalid subdomains can now be used by the scammer to generate a long list of links and URLs for malicious activities that essentially points to a single malicious app. An available malicious app that is represented by unlimited numbers of URL Subdomains makes it harder for systems administrators and security professionals to block malicious activities.

Furthermore, all these subdomains will appear Verified by Google Trust Services.


After all, the domain appspot.com that hosts the Google App Engine and all its subdomains come with the seal of Google Trust Services on their SSL Certificate.


A Security Engineer, Yusuke Osumi, has tweeted an example of the phishing attack on how a Microsoft phishing webpage was exploiting the flaw of the design. He compiled a list of more than 2000 subdomain permutations generated dynamically by the app, leading to the phishing page.


google app engine twitter phishing pages


This phishing campaign is currently active as scammers, and cyber attackers continue to exploit the subdomain design flaw of Google App Engine. We advise users to remain vigilant, especially when a web application asks for your email and domain credentials.

About the author

Leave a Reply