Saturday, December 7, 2024
HomeCyber Security NewsThreat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Published on

SIEM as a Service

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims to fake login pages hosted on Weebly, targeting telecommunications and financial sectors in late October 2024.

Financially motivated threat actors exploit Weebly’s ease of use and reputation to host phishing pages, bypassing security measures and leveraging the platform’s legitimacy to prolong attacks across various sectors.

They leverage Google Docs to distribute malicious links embedded within presentations, redirecting victims to fake login pages hosted on Weebly, which are designed to mimic legitimate platforms from the telecommunications and financial sectors, targeting specific regions and organizations.

- Advertisement - SIEM as a Service

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Phishing attacks exploit familiar telecom MFA workflows to trick users into revealing credentials, while attackers leverage tracking tools for campaign optimization based on victim data. 

US-based telecommunications-institution
themed phishing login page. 

The attackers used Weeblysite domains to host phishing pages mimicking industry-specific login screens, which were embedded in Google Docs, to bypass security measures and target financial and telecommunications sectors in EMEA and AMER. 

It targets security professionals by mimicking legitimate cybersecurity training platforms like PICUS, which are designed to compromise business email accounts and employ dynamic DNS infrastructure to evade detection and prolong campaign duration. 

The campaign leverages highly customized tactics, employing brand-specific lures like AT&T and a US financial institution to increase user trust and engagement, which demonstrates the attackers’ intent to maximize phishing success across various sectors. 

Phishing page mimicking Australian bank login

They mimic legitimate MFA workflows, using realistic designs to trick users into providing sensitive information, while advanced MFA defenses, like adaptive authentication and randomized challenges, are crucial to detect and thwart these sophisticated attacks.

The attacks employ legitimate tracking tools like Snowplow and Google Analytics to monitor victim engagement, collecting detailed data on user interactions, including navigation, clicks, and geolocation. 

Cybercriminals are exploiting SIM swapping by targeting telecom services like AT&T and stealing login credentials from telecom dashboards to initiate SIM swaps, intercepting SMS-based MFA codes and gaining unauthorized access to user accounts.

Burp Suite HTTP POST interception on phishing page

By leveraging SIM swapping to bypass SMS-based MFA, they gain unauthorized access to victims’ accounts. This highlights the vulnerability of SMS-based security and underscores the necessity for stronger, non-SMS MFA methods.

Phishing campaigns take advantage of HTML forms mimicking login pages on free hosting platforms (Weebly) with dynamic DNS for subdomain rotation, which allows for quick deployment, credential theft, and evasion of detection. 

 PICUS-themed phishing lure on Google Docs.

The PICUS-themed lures, mimicking legitimate training content, target security professionals, where attackers track user interactions and geolocation data to refine phishing tactics, redirecting victims to credential-harvesting sites.

ElecticIQ asserts that phishing actors make use of Google Docs in order to evade detection, establish trust, and expand attack vectors. 

By hosting malicious content on this legitimate platform, they bypass security measures and trick users into compromising sensitive information, expanding their reach beyond the telecom and financial sectors.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...