Welcome to the Google Cloud Security Community blog. We bring you expert perspectives from Googlers and seasoned users, offering the insights you need to effectively utilize and optimize your security tools.
Overview Welcome back to our series on Actionable Threat Hunting with Google Threat Intelligence! This time, we're going to talk about a huge phishing scam that's just happened in the last few months. It's connected to Booking, which is one of the most popular websites for booking hotels.Our main goal here is to show you how just one email we got helped us figure out how big this scam really was. We also found some interesting files that seem connected to Telegram messages the threat actors used. And don't worry, we'll share some of our code from Google Colab so you can try this yourself!One clever thing about this scam is that the threat actors sent messages directly to victims through Booking's official website. They even used the message chats from bookings people had already made. This strongly suggests that the threat actors were somehow able to access this information through a method that is currently unknown. ‘Your reservation is at risk’ If you've recently received an email th
Today’s blog will look at another facet of data being incorporated into composite rules. In our previous blog, we extended our rules to include not just detections but added events so that if we have a set of detections that are of interest, but we need an event that is not part of a detection, we can leverage that as well. This time, we are going to take that same concept but leverage data from the entity graph along with our detection. Entity GraphThe entity graph is a contextual data store within Google Security Operations (SecOps) that stores entities like assets, users, resources, groups and IOCs. By ingesting this data, events are automatically enriched but these entities are also available within the entity graph to join to events. Additionally, the entity graph contains derived contextual data including prevalence, first and last seen and metrics associated with risk analytics. Finally, global threat intelligence resources including Safebrowsing, TOR exit nodes, VirusTotal and
No longer relegated to the realm of sci-fi, we’re on the cusp of having AI-powered agents that can act as personal assistants, cybersecurity defenders, or supply-chain specialists. The list goes on and the use cases are varied and myriad, in many ways limited only by our imaginations as we explore the transition from the generative to the agentic AI era. Sci-fi evangelists and futurists have long imagined an AI that can work and act intelligently with advanced execution capabilities. New developments in agentic AI are making this a reality. With supercharged reasoning and execution, these AI systems are changing how humans and machines interact and work together. The potential is huge - enabling productivity, innovation, and insights. But, there are risks to consider, which we delve into further below. AI agents We broadly characterize AI agents as software systems that use AI to pursue goals and complete tasks on behalf of users. They show reasoning, planning, and memory
Co-Author: McCall McIntyreIf you’ve been following the evolution of Google Security Operations, you know that we’re dedicated to innovating based on what matters most to you, our customers. Driven by your feedback and the goal of solving the toughest challenges in security operations, our teams have been rapidly shipping new capabilities and expanding our partner ecosystem. Come see us at Black Hat to experience firsthand the powerful features we’ve made generally available to amplify your security operations! Let's explore some of the Google Security Operations GA highlights for 2025: Data Pipeline ManagementData pipeline management helps you reduce costs and simplify SIEM migration. Our expanded partnership with Bindplane provides the ability to easily filter, transform, and redact your data, preparing it for deeper analysis. Learn More Composite DetectionsComposite detections enable you to build sophisticated, multi-stage detection logic. This helps you identify complex attack pat
In today's digital-first world, web properties have become the cornerstone of consumer transactions, demanding seamless user experiences while fending off an ever-evolving landscape of fraud and abuse. Cybercriminals relentlessly target these online touchpoints for illicit financial gain, leading to significant fraud expenses that can quickly erode business margins. Striking the right balance between robust security and a frictionless user journey is paramount for digital commerce.That's why Google commissioned IDC to conduct an in-depth study on the business value of Google reCAPTCHA, our leading fraud prevention solution for protecting against fraud and abuse. The findings are clear and compelling:Google reCAPTCHA delivers substantial financial and operational benefits, with customers achieving an impressive 545% return on investment over three years, and a payback period of just four months. Unpacking the Value: $5 Million in Annual Benefits The IDC study, based on extensive data an
Having dissected the network communication, data staging, and exfiltration techniques employed by LUMMAC.V2 in Part 2, we now transition to Part 3. Extracted configuration data This configuration is from the LUMMAC.V2 sample https://www.virustotal.com/gui/file/9b5261901aab3f45a0381d39b0f535853fdcae74c7f25121efda70bb89b062e2/detection. c (Path) c (Masks) c (Zip Path) c (Depth) c (File Size Limit) %appdata%\Ethereum keystore Wallets/Ethereum 1 20971520 %appdata%\Exodus\exodus.wallet * Wallets/Exodus 2 20971520 %appdata%\Ledger Live * Wallets/Ledger Live 2 20971520 %appdata%\atomic\Local Storage\leveldb * Wallets/Atomic 2 20971520 %localappdata%\Coinomi\Coinomi\wallets * Wallets/Coinomi 2 20971520 %appdata%\Authy Desktop\Local Storage\leveldb *
Part 1 meticulously detailed the initial compromise phase of LUMMAC.V2, from its deceptive "ClickFix" delivery to the various execution techniques employed. Building on that foundation, Part 2 now shifts focus to the post-infection activities, specifically delving into the sophisticated network communication LUMMAC.V2 utilizes to interact with its C2 infrastructure and exfiltrate sensitive data from compromised systems. Network Communication Once the LUMMAC.V2 payload is delivered and executed on the victim's machine, the malware immediately initiates a series of DNS queries to resolve the domain names of its hard-coded Command and Control (C2) servers. As depicted in the figure below, this process involves persistent querying until a successful resolution is achieved.Figure 13: DNS requests and TLS handshake by the malware The malware establishes a TLS v1.2 connection with the resolved IP address. As shown in Figure 14, the Server: Cloudflare header in the HTTP response, along with th
We've thoroughly mapped the campaign's vast infrastructure and uncovered its hidden patterns in Part 2, but to truly understand the threat, we need to go beyond the observable network. Part 3 takes us deeper, revealing a remarkable discovery: files that offer a direct look into the threat actors' internal operations, including victim data and their command-and-control mechanisms. Interesting file identified So far, we've been able to understand the campaign's scope, various ways to conduct threat hunting, and how to identify new infrastructure. But the next question we asked ourselves was: Are there files that interact with any of the URLs we've identified? So, we started running different queries in Google Threat Intelligence, and one of them gave an interesting result.embedded_url:"https://booking.confirmation-" As a result of the previous query, we found a RAR file that includes the URL hxxps://booking-confirmation.id6151961[.]date/p/360580105 as embedded. It's not exactly the domai
Having thoroughly analyzed the initial attack vectors and the layered infrastructure of this massive Booking.com phishing campaign in Part 1, we now transition from discovery to deeper investigation. In Part 2, we will consolidate the intelligence gathered from both infrastructure tiers, further unveil the threat actors' operational tactics, and demonstrate how this actionable intelligence can be directly applied to fortify your defenses and proactively hunt for similar threats in your own environment. Analyzing the whole campaign The different queries we've made can help us create YARA rules to monitor for new activity from this campaign. In fact, at the end of this blog we have created a section for YARA rules. But to better understand everything about the campaign, it's also good to know other related information. This includes when this activity started, how many URLs Google Threat Intelligence’s scanning tools identify the URLs as malicious, interesting keywords to monitor, and so
In Google Security Operations (SecOps), single-column reference lists have been a longstanding method for including or excluding events in detection rules based on a list of strings, regex expressions, or CIDR ranges. But what if you need to apply more complex logic in your rules that involves filtering events based on multiple criteria or enriching events/entities using custom data? We recently launched data tables in public preview to help security teams with their more sophisticated event filtering and enrichment use cases. A data table like the example shown below is made up of named columns (in the first row of the table) and rows of data. Each column of a data table must be mapped to either a data type (string, regex, or CIDR) or to a UDM entity field (e.g. entity.user.termination_date.seconds). Specifying a data type for a column in a data table allows you to use values in those columns to filter events in your rules. Mapping a data table column to an entity field allows you to
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
