GTFire Phishing Campaign Exploits Google Services to Steal Credentials
A newly uncovered phishing campaign, dubbed GTFire, is leveraging trusted Google services including Firebase and Google Translate to bypass security defenses and harvest user credentials on a global scale.
Discovered by cybersecurity firm Group-IB, the campaign exploits Google’s infrastructure to host malicious login pages and disguise phishing URLs. Attackers use Firebase’s .web.app subdomains, which are commonly associated with legitimate development projects, to host fake login pages that mimic corporate branding. Meanwhile, Google Translate acts as a proxy, cloaking phishing links within the translate.goog domain to evade detection by email and web security filters.
The attack follows a multi-step redirection process, making it difficult for security systems to flag malicious activity. Once victims land on the Firebase-hosted phishing page, they are prompted to enter credentials, with incorrect attempts triggering repeated login prompts to maximize data collection. Stolen credentials are Base64-encoded and transmitted via HTTP GET requests to attacker-controlled command-and-control (C2) servers, along with metadata such as the victim’s email, location, and browser language.
The campaign employs pre-packaged PHP phishing scripts hosted on LiteSpeed Web Servers, enabling rapid scaling without custom development for each target. Group-IB’s research indicates the operation is highly organized, with stolen data segmented by date, brand, and language.
GTFire highlights the growing trend of threat actors abusing trusted cloud services to evade detection, underscoring the need for organizations to reassess traditional security trust models.
Source: https://cyberpress.org/gtfire-phishing-steals-credentials/
Google Translate Community cybersecurity rating report: https://www.rankiteo.com/company/google-translate-community
"id": "GOO1772541330",
"linkid": "google-translate-community",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'attack_vector': 'Phishing (via Google Firebase and Google Translate)',
'data_breach': {'data_encryption': 'Base64-encoded during transmission',
'data_exfiltration': 'Yes (to attacker-controlled C2 servers)',
'personally_identifiable_information': 'Email, location, '
'browser language',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, personally '
'identifiable information (email, '
'location, browser language)'},
'description': 'A newly uncovered phishing campaign, dubbed GTFire, is '
'leveraging trusted Google services including Firebase and '
'Google Translate to bypass security defenses and harvest user '
'credentials on a global scale. The campaign exploits Google’s '
'infrastructure to host malicious login pages and disguise '
'phishing URLs. Attackers use Firebase’s *.web.app* subdomains '
'to host fake login pages that mimic corporate branding, while '
'Google Translate cloaks phishing links within the '
'*translate.goog* domain to evade detection. The attack '
'follows a multi-step redirection process, prompting victims '
'to enter credentials, with stolen data Base64-encoded and '
'transmitted to attacker-controlled C2 servers.',
'impact': {'data_compromised': 'User credentials, metadata (email, location, '
'browser language)',
'identity_theft_risk': 'High'},
'lessons_learned': 'Threat actors are increasingly abusing trusted cloud '
'services to evade detection, highlighting the need for '
'organizations to reassess traditional security trust '
'models.',
'motivation': 'Credential harvesting',
'post_incident_analysis': {'root_causes': 'Abuse of trusted Google services '
'(Firebase, Google Translate) for '
'phishing, lack of detection for '
'multi-step redirection attacks'},
'references': [{'source': 'Group-IB'}],
'title': 'GTFire Phishing Campaign Exploits Google Services to Steal '
'Credentials',
'type': 'Phishing',
'vulnerability_exploited': 'Abuse of trusted cloud services (Firebase, Google '
'Translate)'}