Attackers abuse Google AppSheet, Netlify, and Telegram to steal credentials via fake login pages. For healthcare, this targets hospital staff and patients using cloud-based portals, risking account takeover and data breaches. No CVEs linked, but social engineering bypasses traditional defenses.
Attack Mechanism
A sophisticated phishing campaign has been uncovered that exploits trusted platforms Google AppSheet, Netlify, and Telegram to steal credentials. While initially reported targeting Facebook users, the implications for healthcare are severe. Many hospitals and health systems rely on Google AppSheet for custom patient portals, telehealth scheduling apps, and clinical workflow automation. Netlify is commonly used for hosting internal dashboards and patient-facing web apps. Attackers are now weaponizing these very platforms to bypass traditional security filters.
The campaign works as follows: attackers use Google AppSheet to create fake landing pages that mimic legitimate login interfaces, including those for patient portals or clinical systems. Netlify hosts malicious redirects, routing victims through seemingly safe domains. Once a user enters credentials, the stolen data is exfiltrated in real time via Telegram bots, allowing attackers to harvest credentials while evading email security tools. The attackers craft realistic notifications, such as fake security alerts about suspicious login attempts, which could easily be mistaken for hospital IT communications or patient portal updates.
Healthcare Impact
For healthcare organizations, this is particularly dangerous. Hospital staff who reuse passwords across clinical systems, email, and patient portals face cascading breach risks. Patients accustomed to receiving portal notifications may be tricked into entering credentials on lookalike pages. The abuse of trusted platforms like AppSheet and Netlify makes detection challenging because security tools often whitelist these domains. No CVEs are linked to this campaign, as it relies on social engineering and platform abuse rather than software vulnerabilities. Healthcare CISOs and IT teams should enforce multifactor authentication on all clinical and administrative systems, educate staff about verifying login page URLs, and implement threat intelligence to detect anomalous use of legitimate cloud services for credential harvesting.
Mitigation Steps
Source: Multiple Sources
Additional source: Cyber Security News
