New Phishing Campaign Exploiting Google Drawings and WhatsApp Links to Target Users
Recent investigations by cybersecurity researchers have unveiled a sophisticated phishing campaign harnessing the capabilities of Google Drawings and shortened URLs through WhatsApp to evade detection mechanisms while aiming to capture sensitive user data. This unique approach allows cybercriminals to create compelling and seemingly legitimate traps for unsuspecting users.
According to Ashwin Vamshi, a researcher at Menlo Security, the attack is strategically designed by utilizing reputable platforms like Google and WhatsApp, and it employs a counterfeit Amazon page to gather user credentials. "This incident exemplifies a Living Off Trusted Sites (LoTS) threat," Vamshi noted, highlighting the attackers’ tactic of exploiting well-known websites to lend credibility to their malicious efforts.
At the core of this scheme is a phishing email that misleads recipients into clicking on what appears to be an Amazon account verification link, which is cleverly hosted on Google Drawings. This technique serves to obscure the malicious intent of the operation, making it difficult for security systems to identify it as harmful.
One of the clear advantages of utilizing legitimate services such as Google Drawings is the minimal cost involved for attackers, while simultaneously providing a discreet method of communication that is less likely to be flagged by security parameters or firewalls. Vamshi further explained that Google Drawings permits users to embed links within graphics, a feature that can easily be overlooked by recipients, particularly if they feel pressured by a potential security risk to their accounts.
Once victims are trapped into clicking on the verification link, they are rerouted to a fake Amazon login page. This malicious URL undergoes a two-phase shortening process using WhatsApp’s URL shortener followed by qrco[.]de, creating an additional layer of deception that complicates efforts by security scanners to flag the link as fraudulent.
The fraudulent site is meticulously crafted to extract sensitive information, including login credentials, personal details, and credit card numbers. After this data is gathered, victims are redirected to the legitimate Amazon login page. This ruse is further secured by making the compromised web page inaccessible from any IP address that previously entered valid credentials.
This alarming pattern of behavior comes to light amid recent discoveries of vulnerabilities in Microsoft 365’s anti-phishing protocols, which could allow for increased phishing email exposure. There is a noted exploit concerning how the “First Contact Safety Tip” is displayed in HTML emails, as identified by Certitude, an Austrian cybersecurity firm. This safety tip is susceptible to manipulation through CSS styling, potentially deceiving users about the nature of the sender.
The implications of these findings are particularly concerning for business owners who must remain vigilant against such sophisticated phishing threats. The MITRE ATT&CK framework provides a useful context for understanding the tactics involved in this attack, indicating that initial access techniques, such as phishing, and evasion tactics leveraged by utilizing trusted sites could be key elements in the methodology employed by attackers.
In light of these developments, organizations must bolster their cybersecurity protocols to prevent falling victim to such increasingly complex phishing schemes. With the landscape of cyber threats continually evolving, remaining informed and implementing rigorous security measures is critical for safeguarding sensitive information against opportunistic cyber adversaries.
