Cybersecurity researchers have identified a sophisticated phishing campaign that cleverly exploits trusted platforms like Google Drawings and WhatsApp to evade detection and trick users into divulging sensitive information. The campaign, uncovered by Menlo Security researcher Ashwin Vamshi, leverages these widely recognized services to craft a highly deceptive threat.
The attack begins with a phishing email that directs recipients to a seemingly legitimate Amazon account verification link hosted on Google Drawings. This tactic is particularly effective because it uses a familiar and trusted platform, making it less likely to be flagged by security products or firewalls. “The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim’s information,” Vamshi explained. He described the campaign as a prime example of a Living Off Trusted Sites (LoTS) threat.
One of the key advantages for attackers using Google Drawings is the ability to embed links within the graphics. These links can easily go unnoticed by users, especially when paired with a sense of urgency, such as a potential threat to their Amazon account. Users who click on the graphic are redirected to a fake Amazon login page. This page is meticulously designed to mimic the real Amazon login, using a combination of URL shorteners from WhatsApp (“l.wl[.]co”) and qrco[.]de to obscure the true destination and evade URL scanners.
Once on the fake login page, victims are prompted to enter their credentials, personal information, and credit card details. After capturing this sensitive information, the attackers redirect the victims to the real Amazon login page to avoid suspicion. Additionally, the fake page becomes inaccessible from the same IP address after the credentials have been validated, adding another layer of complexity to the attack.
This phishing campaign comes amid broader concerns about vulnerabilities in widely used software. Recently, researchers discovered a loophole in Microsoft 365’s anti-phishing mechanisms that can be exploited to bypass the “First Contact Safety Tip.” This tip alerts users when they receive emails from unknown addresses. The method involves using CSS tricks to hide these warnings, making phishing emails appear more legitimate. “The First Contact Safety Tip is prepended to the body of an HTML email, which means it is possible to alter the way it is displayed through the use of CSS style tags,” noted Austrian cybersecurity firm Certitude. This issue, acknowledged by Microsoft, remains unfixed.
The revelation of this novel phishing tactic underscores the continuous evolution of cyber threats. Cybercriminals are increasingly leveraging trusted platforms to carry out their attacks, making it more challenging for traditional security measures to detect and prevent such intrusions. As users, it is crucial to remain vigilant and skeptical of unsolicited emails and links, even when they appear to come from reputable sources.
