EXECUTIVE SUMMARY
Researchers have uncovered a sophisticated phishing campaign that cleverly manipulates trusted platforms like Google Drawings and WhatsApp to bypass security measures and deceive users into surrendering their sensitive information. The attackers' use of well-known, trusted services highlights a growing trend known as Living Off Trusted Sites (LoTS), where legitimate platforms are leveraged for malicious purposes. This campaign specifically targets Amazon users by presenting a seemingly authentic account verification link hosted on Google Drawings. By doing so, the attackers exploit the inherent trust users place in Google services, making it difficult for traditional security tools to detect the threat. This approach not only allows attackers to evade detection but also increases the likelihood that unsuspecting users will fall victim to the scam.
The phishing attack begins with an email directing the recipient to a graphic on Google Drawings that masquerades as an Amazon account verification link. Google Drawings, part of the Google Workspace suite, is used to host this graphic, as it is unlikely to be flagged by security tools. The graphic contains a link, which, when clicked, redirects the victim to a fake Amazon login page. This link is further obfuscated by passing through two URL shorteners making it even harder for security scanners to identify the threat. Once on the fake Amazon page, victims are prompted to enter their login credentials, personal information, billing details, and credit card information across multiple pages. The attack is meticulously crafted to capture as much information as possible at each stage, sending the stolen data to the attackers while maintaining the illusion of a legitimate verification process.
This phishing campaign exemplifies the growing challenge of LoTS threats, where attackers exploit trusted, legitimate platforms to launch highly deceptive and effective attacks. By leveraging Google Drawings and WhatsApp's URL shortener, the attackers successfully evade detection by traditional security tools, making it difficult for even vigilant users to identify the threat. The campaign's use of multiple layers of obfuscation and its ability to capture detailed personal and financial information underscore the sophistication of modern phishing techniques. While user education and training are important, they are not sufficient on their own to combat such advanced threats. Instead, organizations must deploy advanced security solutions, which use real-time AI analysis and dynamic risk scoring to detect and block these evasive attacks. As phishing tactics continue to evolve, so too must the defenses, requiring continuous adaptation and vigilance to protect against these ever-changing threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Resource Development | T1583 | Acquire Infrastructure |
| Initial Access | T1566 | Phishing |
| Defense Evasion | T1070 | Indicator Removal |
| T1562 | Impair Defenses | |
| Credential Access | T1110 | Brute Force |
| T1539 | Steal Web Session Cookie | |
| Collection | T1074 | Data Staged |
| T1113 | Screen Capture | |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
| T1567 | Exfiltration Over Web Service | |
| T1020 | Automated Exfiltration | |
| Impact | T1485 | Data Destruction |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2024/08/new-phishing-scam-uses-google-drawings.html