Beware: Hackers Use Google Drawings & WhatsApp Links to Steal Data
Menlo Security has uncovered a new phishing campaign that exploits Google Drawings to bypass security systems and deceive users, compelling victims to click on fraudulent links designed to steal sensitive information.
This attack exemplifies the Living off Trusted Sites (LoTS) tactic, where attackers misuse well-known and trusted websites for malicious purposes. The perpetrators have chosen some of the most popular services in the IT sphere—Google and WhatsApp—to host their attack tools, and have also created a fake Amazon page to harvest victims’ data.
The attack begins with a phishing email directing recipients to an image purportedly containing a link to verify their Amazon account. The image is hosted on Google Drawings, which aids in evading detection.
Leveraging legitimate services provides attackers with clear advantages: not only do they save on costs, but they can also communicate within networks while remaining undetected by security tools and firewalls. Google Drawings is particularly appealing in the early stages of the attack as it allows the embedding of links within graphic images. A user might not even notice the link, especially if they perceive an urgent threat to their Amazon account.
An Amazon account verification link
Users who click on the link to verify their account are redirected to a fake Amazon login page. The page’s address is intricately crafted using two shortened URLs—first through WhatsApp (“l.wl[.]co”), and then qrco[.]de—for added obfuscation and to deceive URL scanners.
When the victim enters their credentials on the fake login page, they are then presented with four different pages designed to sequentially collect further information. The victim’s data is harvested as each of the four steps is completed and sent to the attacker. Notably, even if the victim changes their mind or stops partway through entering their information, the cybercriminal still receives data from each completed step.
The fake page is designed to capture login credentials, personal information, and credit card details. After the data is stolen, victims are redirected to the legitimate Amazon login page. As an additional precaution, the fake page becomes inaccessible from the same IP address after the credentials have been confirmed.
