Photo: wk1003mike / Shutterstock.com
A new wave of Open Redirect phishing campaigns has resurfaced, cleverly exploiting some of the internet’s most trusted platforms, such as Google, WhatsApp, and Amazon, to deceive users. These attacks, exemplified by campaigns like EvilProxy and Browser in the Browser, manipulate user trust by redirecting them from legitimate websites to malicious sites designed to harvest sensitive information.
The attack begins with a seemingly innocent phishing email that prompts recipients to verify their Amazon account. This email contains a link embedded in a graphic that mirrors an Amazon verification request.
However, after further analysis, researchers discovered that this graphic is hosted on Google Drawings, a legitimate part of the Google Workspace suite commonly used for collaborative graphic design.
The platform is typically trusted and is unlikely to be flagged by standard security tools, making it an ideal starting point for attackers.
The graphic contains a ‘Continue Verification’ link to Amazon’s sign-in page. This link has been masked using a WhatsApp URL shortener, ‘l.wl.co,’ which further redirects through another shortener, ‘qrco[.]de,’ before leading to a fraudulent Amazon login page.
Using multiple URL shorteners obfuscates the malicious intent and evades detection by security systems that might otherwise flag suspicious links.
Upon clicking the disguised link, victims are taken to a fake Amazon login page, where they are prompted to enter their credentials. This phishing page is meticulously crafted to resemble Amazon’s official site, including various security prompts that ask for personal details like a user’s mother’s maiden name, birthdate, and phone number.
“Such a site is not typically blocked by traditional security tools. Another thing that makes Google Drawings appealing at the beginning of the attack is that it allows users (in this case, the attacker) to include links in their graphics. Such links may easily go unnoticed by users, particularly if they feel a sense of urgency around a potential threat to their Amazon account,” explained researchers.
Researchers discovered that the attack unfolds in multiple steps, with each phase designed to extract increasingly sensitive information from the victim. After the initial credential entry, the victim is taken through several pages purportedly aimed at securing their account.
These pages request billing, payment methods, and other personal information details. The data entered by the user is stealthily transmitted to the attackers via URL paths on a domain that appears legitimate at first glance.
What’s interesting about this attack is that each step is designed so that even if the victim leaves the process halfway, the attackers still gain valuable information. The malicious site asks for comprehensive data, including credit card information, expiration dates, and security codes, making it a highly effective tool for identity theft and financial fraud.
The sophistication of this attack lies in its use of trusted platforms to carry out malicious activities, a strategy known as Living Off Trusted Sites (LOTS). By leveraging the credibility of well-known services like Google and WhatsApp, attackers can bypass traditional security measures that rely on categorisation and reputation scoring.
While user education remains a crucial component of cybersecurity, it is clear that awareness alone is not enough to combat sophisticated threats like these. Researchers have advised users to use threat detection tools to keep their systems and private information safe.
In the News: GoGra Trojan deployed via OneDrive and Google Drive