Aug 08, 2024Ravie LakshmananNetwork Security / Cloud Security

Cybersecurity researchers have discovered a new phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on fake links intended to steal sensitive information.

“The attackers chose a group of the most well-known websites in the computer world to create the threat, including Google and WhatsApp to host the attack elements, and an Amazon lookalike to collect the victim’s information,” said Ashwin Vamshi, researcher at Menlo Security. “This attack is a great example of a Living Off Trusted Sites (LoTS) threat.”

The attack’s starting point is a phishing email that directs recipients to an image that appears to be an Amazon account verification link. This image is in turn hosted on Google Drawings, in an attempt to evade detection.

Abusing legitimate services has clear advantages for attackers. Not only is it a cheap solution, but more importantly, it provides a covert way of communicating within networks, as they are unlikely to be blocked by security products or firewalls.

“Another thing that makes Google Drawings attractive early in the attack is that it allows users (in this case, the attacker) to embed links into their images,” Vamshi said. “Such links can easily go unnoticed by users, especially if they feel a sense of urgency around a potential threat to their Amazon account.”

Users who click on the verification link are redirected to a similar Amazon login page. The URL is constructed using two different URL shorteners in turn: WhatsApp (“l.wl(.)co”) followed by qrco(.)de. These provide an additional layer of obfuscation and deceive URL security scanners.

The fake page is designed to collect login credentials, personal information, and credit card details, after which victims are redirected to the original phished Amazon login page. As an additional step, the web page is made inaccessible from the same IP address once the credentials are validated.

This revelation comes after researchers discovered a vulnerability in Microsoft 365’s anti-phishing mechanisms that could be exploited to increase the risk of users opening phishing emails.

The method involves using CSS tricks to hide the “First Contact Safety Tip,” which warns users when they receive emails from an unknown address. Microsoft, which has acknowledged the problem, has not yet released a fix.

“The First Contact Safety Tip is added to the body of an HTML email, which means it is possible to change the way it is displayed using CSS style tags,” according to Austrian cybersecurity organization Certitude. “We can take this one step further and spoof the icons that Microsoft Outlook adds to emails that are encrypted and/or signed.”