Cybersecurity experts have unveiled a sophisticated phishing scheme that ingeniously employs Google Drawings in tandem with shortened links generated through WhatsApp. This strategy is designed to evade detection and deceive users into clicking on fraudulent links aimed at expropriating confidential information.
Ashwin Vamshi, a researcher at Menlo Security, elaborates, “The perpetrators have ingeniously selected a cadre of renowned digital platforms, including Google and WhatsApp, to deploy their malevolent elements, while mimicking Amazon to pilfer victims’ data. This incident epitomizes a Living Off Trusted Sites (LoTS) threat.”
The phishing endeavor initiates with an email that directs recipients to a seemingly authentic graphic, which purports to be an Amazon account verification link. This graphic is deceptively hosted on Google Drawings, an apparent tactic to sidestep detection.
Leveraging genuine services provides notable advantages for cybercriminals, offering not only a cost-effective approach but also a covert communication channel within networks, as these platforms are less likely to be obstructed by security measures or firewalls.
“Google Drawings’ appeal lies in its capacity to embed hyperlinks within graphics,” Vamshi observes. “Such links can easily escape user scrutiny, especially when individuals are under the impression of an imminent threat to their Amazon account.”
Upon engaging with the verification link, users are redirected to a counterfeit Amazon login page. This deception employs a sequential combination of URL shorteners—WhatsApp’s “l.wl[.]co” followed by qrco[.]de—to add an additional veil of obscurity and confound URL security scanners.
The fraudulent page is engineered to extract login credentials, personal data, and credit card information, after which victims are redirected to the genuine Amazon login page. To further conceal their tracks, the fraudulent page becomes inaccessible from the same IP address post-validation of credentials.
This revelation coincides with researchers uncovering a vulnerability within Microsoft 365’s anti-phishing defenses, which could exacerbate the likelihood of users engaging with phishing emails.
This vulnerability exploits CSS manipulation to obscure the “First Contact Safety Tip,” a warning for emails from unfamiliar addresses. Microsoft has acknowledged the problem but has yet to provide a resolution.
Certitude, an Austrian cybersecurity firm, notes, “The ‘First Contact Safety Tip’ is prefixed to HTML email content, making it susceptible to modification via CSS style tags. This vulnerability extends to the potential spoofing of icons added by Microsoft Outlook to encrypted or signed emails.”