This popular app builder has been hijacked to steal Microsoft account details - here's what we know

News
By published

Bubble.io's good name is being tarnished

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Cybercriminals abuse Bubble.io no-code platform to host phishing apps
  • Trusted domain bypasses email security, tricking victims into Microsoft 365 credential theft
  • Kaspersky warns technique likely to spread via Phishing-as-a-Service kits, making attacks more dangerous

Cybercriminals have been seen abusing a legitimate AI app builder platform to bypass email security protections and land phishing emails directly into people’s inboxes.

Security researchers Kaspersky flagged the affected program is Bubble.io, a no-code visual programming platform which allows users to create entire web and mobile apps without writing a single line of code. However this means hackers could also use the drag-and-drop editor, or an AI chatbot, to generate complex JavaScript and frontend structure, embed malicious functionality, and host the website on the bubble.io domain.

Then, they would send phishing emails to their victims, targeting their Microsoft 365 accounts. The emails would contain a link to the Bubble-hosted app, and since it is hosted on a trusted domain, email security solutions don’t flag it and the message lands into the inbox.

Article continues below

Kaspersky predicts a bright future for the dark technique

The apps themselves often mimic a Microsoft login portal hidden behind a Cloudflare check. Victims that don’t spot the trick will end up sharing their login credentials with the attackers, which can then use the access to target organizations, steal data, or deploy ransomware.

Given the novelty and the success of this method, Kaspersky believes it is bound to become a lot more popular in the near future. The researchers speculate that many Phishing-as-a-Service (PhaaS) providers will soon start integrating this technique into their phishing kits, especially those used by less-skilled, newbie criminals.

Such platforms are already quite advanced, and capable of stealing 2FA codes in-transit, defend against analysis through geo-fencing and other methods, and use AI to generate convincing email copy.

By abusing legitimate platforms such as Bubble, the platforms will only get better and more dangerous. It is also worth mentioning that abusing legal businesses is not a new method by any means - we’ve seen PayPal, Google Tasks, Microsoft Azure Monitor alerts, and many other features used in this respect before.

Bubble has not yet responded to media inquiries, and there is no word about the abuse on its website.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.