Security Experts:

Connect with us

Hi, what are you looking for?



Russian ‘Fancy Bear’ Hackers Abuse Blogspot for Phishing

The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.

The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.

Threat intelligence firm ThreatConnect spotted the use of the blogging service while analyzing attacks aimed at Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Fancy Bear, also known as Pawn Storm, APT28, Sofacy, Sednit, Strontium and Tsar Team, was first seen targeting Bellingcat in 2015 as part of a campaign aimed at entities investigating Russia’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing a conflict zone in Ukraine.

The latest attacks aimed at Bellingcat involved fake emails instructing users to change their Gmail passwords as a result of unauthorized activity on their account, and Dropbox invitations to view shared folders.

The buttons included in these emails pointed to a randomly generated Blogspot subdomain set up to redirect visitors to a phishing page. The phishing sites used HTTPS and they were hosted on subdomains that may have tricked many individuals into thinking they were legitimate. Experts believe the attackers likely used Blogspot in an effort to get past spam filters.

“A URL hosted on Google’s own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname,” ThreatConnect researchers said in a blog post.

Fancy Bear is believed to be behind many high profile attacks, including a campaign that may have attempted to interfere in last year’s presidential election in the United States.

Researchers at SecureWorks reported last year that they had identified thousands of Gmail accounts targeted by the hackers. The security firm recently provided the entire list of accounts to The Associated Press, whose reporters have analyzed them in an effort to find who they belong to.

They identified the email addresses of entities in 116 countries, including former U.S. Secretaries of State John Kerry and Colin Powell, NATO Supreme Commanders Air Force Gen. Philip Breedlove and Army Gen. Wesley Clark, defense contractors such as Raytheon and Lockheed Martin, U.S. politicians and intelligence officials, Ukrainian officials and the pope’s representative in Kiev, and Russian opponents of the Kremlin.

Related: Russian Cyberspies Target Hotels in Europe

Related: Russian Hackers Exploit Recently Patched Flash Vulnerability

Related: Russian Hackers Target Montenegro as Country Joins NATO

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.