Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims to fake login pages hosted on Weebly, targeting telecommunications and financial sectors in late October 2024.
Financially motivated threat actors exploit Weebly’s ease of use and reputation to host phishing pages, bypassing security measures and leveraging the platform’s legitimacy to prolong attacks across various sectors.
They leverage Google Docs to distribute malicious links embedded within presentations, redirecting victims to fake login pages hosted on Weebly, which are designed to mimic legitimate platforms from the telecommunications and financial sectors, targeting specific regions and organizations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Phishing attacks exploit familiar telecom MFA workflows to trick users into revealing credentials, while attackers leverage tracking tools for campaign optimization based on victim data.
themed phishing login page.
The attackers used Weeblysite domains to host phishing pages mimicking industry-specific login screens, which were embedded in Google Docs, to bypass security measures and target financial and telecommunications sectors in EMEA and AMER.
It targets security professionals by mimicking legitimate cybersecurity training platforms like PICUS, which are designed to compromise business email accounts and employ dynamic DNS infrastructure to evade detection and prolong campaign duration.
The campaign leverages highly customized tactics, employing brand-specific lures like AT&T and a US financial institution to increase user trust and engagement, which demonstrates the attackers’ intent to maximize phishing success across various sectors.
They mimic legitimate MFA workflows, using realistic designs to trick users into providing sensitive information, while advanced MFA defenses, like adaptive authentication and randomized challenges, are crucial to detect and thwart these sophisticated attacks.
The attacks employ legitimate tracking tools like Snowplow and Google Analytics to monitor victim engagement, collecting detailed data on user interactions, including navigation, clicks, and geolocation.
Cybercriminals are exploiting SIM swapping by targeting telecom services like AT&T and stealing login credentials from telecom dashboards to initiate SIM swaps, intercepting SMS-based MFA codes and gaining unauthorized access to user accounts.
By leveraging SIM swapping to bypass SMS-based MFA, they gain unauthorized access to victims’ accounts. This highlights the vulnerability of SMS-based security and underscores the necessity for stronger, non-SMS MFA methods.
Phishing campaigns take advantage of HTML forms mimicking login pages on free hosting platforms (Weebly) with dynamic DNS for subdomain rotation, which allows for quick deployment, credential theft, and evasion of detection.
The PICUS-themed lures, mimicking legitimate training content, target security professionals, where attackers track user interactions and geolocation data to refine phishing tactics, redirecting victims to credential-harvesting sites.
ElecticIQ asserts that phishing actors make use of Google Docs in order to evade detection, establish trust, and expand attack vectors.Â
By hosting malicious content on this legitimate platform, they bypass security measures and trick users into compromising sensitive information, expanding their reach beyond the telecom and financial sectors.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals :Â Get up to 3 Free Licenses.
