Cybersecurity researchers at Menlo Security have recently uncovered phishing attacks leveraging Google Drawings and shortened links generated through WhatsApp. The aim of such an attack methodology is to evade detection and trick users into accessing malicious links that acquire sensitive information. In this article, we’ll cover these Google Drawings phishing attacks in detail and determine how they are initiated. Let’s begin!
These phishing attacks were initially discovered when researchers identified a loophole in the anti-phishing mechanisms Microsoft 365 has to offer. These mechanisms could be exploited to increase the risk of users accessing phishing emails. To implement such an attack methodology, hackers manipulate the CSS.
Doing so allows them to hide the “First Contact Safety Tip” that is used for providing alerts when emails are received from unknown emails. As per media reports, the issue has been acknowledged by Microsoft, but is not yet fixed. Providing insights pertaining to this technique, Austrian cybersecurity firm Certitude has stated that:
“The First Contact Safety Tip is prepended to the body of an HTML email, which means it is possible to alter the way it is displayed through the use of CSS style tags. We can take this a step further, and spoof the icons Microsoft Outlook adds to emails that are encrypted and/or signed.”
As for the phishing attack chain, it’s worth mentioning that cybersecurity researchers have stated that attackers function based on a group of best-known websites that are used as a means of computing in threat development. Google Drawings and WhatsApp are two examples of such platforms used to host the attack elements.
Apart from this an Amazon lookalike is used for harvesting sensitive information. The prevalence of such platforms in these phishing attacks is what makes it an example of Living Off Trusted Sites (LoTS) threats that’s worth noting. As for these phishing attacks, a phishing email, connected to a graphic of an Amazon account verification link, is sent to victims.
To evade detection, threat actors ensure that the graphic is hosted on Google Drawings. It’s worth mentioning here that tools such as Google Drawings are feasible for threat actors given that they are low-cost and unlikely to be blocked by security products. After clicking on the link, a target user is taken to a lookalike Amazon login page.
The URL for this page has been created using two shorteners as it facilitates evasion and helps avoid detection from URL scanners. The two shorteners used in these phishing attacks include WhatsApp (“l.wl[.]co”) followed by qrco[.]de. When a user arrives on the fake page, it begins to steal sensitive information like credentials or credit card details.
Once the sensitive information has been acquired, the user is redirected to the original phished Amazon login page. To further strengthen their attempts to avoid detection, threat actors ensure that the malicious page can not be accessed using the same IP address once the phishing attack is complete.
As phishing threats grow more sophisticated, the use of platforms like Google Drawings and WhatsApp in phishing scams highlights the need for vigilance. Organizations should enhance their security strategies, use proactive measures, and keep their teams informed about these evolving dangers to stay ahead of potential attacks, as it can help mitigate risk and improve security posture.
The sources for this piece include articles in The Hacker News and Forbes.
The post Phishing Attacks: Google Drawings And WhatsApp Scam Alert appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/phishing-attacks-google-drawings-and-whatsapp-scam-alert/