Unveiling the Digital Deception: Google Drawings and WhatsApp…

In the vast digital landscape, where trust is often the first casualty of cyber threats, a new phishing tactic has emerged, leveraging the reputations of Google and WhatsApp to deceive unsuspecting users. This sophisticated attack, exposed by Menlo Security, exemplifies the evolving nature of cyber threats and the importance of robust security measures.

The Anatomy of the Attack

The attack begins with a seemingly innocuous phishing email, which directs the victim to a graphic hosted on Google Drawings. This graphic, designed to look like an Amazon account verification link, is part of the Google Workspace suite, which allows users to collaborate on graphics. Such sites are not typically blocked by traditional security tools, making them a prime target for attackers.

The Role of Google Drawings

Google Drawings is a collaborative tool that allows users to create and edit diagrams and charts. Its appeal to attackers lies in its ability to host links that can easily go unnoticed. When the victim clicks on the “Continue Verification” link, they are redirected to what appears to be an actual Amazon Sign-In page. However, this link is crafted using a WhatsApp URL shortener, “l.wl.co,” which does not present any warning to the user about the redirection.

The WhatsApp URL Shortener

URL shorteners are a common tool for sharing long links, but they can also be used to hide the destination of a link. In this case, the WhatsApp URL shortener “l.wl.co” is used to redirect the victim to a malicious site. To further obfuscate the original link, the shortened WhatsApp link is appended with another URL shortener, “qrco.de,” which is a service for dynamic QR codes. This second step is designed to evade security URL scanners and make it harder for users to detect the malicious intent.

The Phishing Pages

Once the victim is redirected to the malicious site, they are presented with a series of pages designed to mimic the Amazon Sign-In process. These pages include:

1. Security Checkup: This page asks the victim to present personal information, including their mother’s maiden name, their birthdate, and their phone number.
2. Billing Checkup: This page asks for the complete billing address associated with the victim’s account.
3. Payments Verification: This page asks for credit or debit cards, along with the cardholder’s name, the full card number, expiration date, and security code.
4. Finish: This page is presented while the information entered by the victim is “verified.”

Each of these pages is designed to mimic the legitimate Amazon Sign-In process, making it difficult for the victim to detect the phishing attempt. The victim’s credentials are collected as they fill out each of the four steps, and are sent to the attacker using different URL paths hosted in the same domain. This means that even if the victim changes their mind or stops in the middle of handing over this information, the attacker still gets vital data from every step that has already been completed.

The Importance of User Education

It is tempting to believe that user education is the solution to phishing attacks, but the facts tell a different story. While user security training is certainly helpful, it is a mistake to rely on training alone. There are simply too many different types of attacks, and users can be easily deceived by sophisticated tactics.

The Rise of Highly Evasive Adaptive Threats (HEAT)

Highly Evasive Adaptive Threats (HEAT) are a type of attack that is designed to evade traditional security measures. These attacks are happening in the browser and are taking advantage of the brands and domains that users instinctively trust, making it hard to tell they’re dangerous. Today, evasive threats make up 30% of total browser-based phishing attacks.

The Role of Security Tools

While user education is important, it is not enough to protect users from HEAT attacks. Security tools are essential for safeguarding users from these sophisticated threats. Menlo Security has developed a tool called HEAT Shield, which uses a combination of methods to catch HEAT attacks. HEAT Shield is a powerful tool that can help protect users from the latest and most evasive threats.

Conclusion

The Google Drawings and WhatsApp Zero-Hour Open Redirection Phish is a prime example of the evolving nature of cyber threats. This attack leverages the reputations of Google and WhatsApp to deceive unsuspecting users, highlighting the importance of robust security measures. While user education is important, it is not enough to protect users from HEAT attacks. Security tools, such as Menlo Security’s HEAT Shield, are essential for safeguarding users from these sophisticated threats.

FAQ

What is a phishing attack?

A phishing attack is a type of cyber attack where the attacker attempts to deceive the victim into revealing sensitive information, such as passwords or credit card numbers. Phishing attacks are often carried out via email, where the attacker sends a message that appears to be from a legitimate source.

How can I protect myself from phishing attacks?

There are several steps you can take to protect yourself from phishing attacks:

1. Be cautious of unsolicited emails: Be wary of emails that ask you to click on links or download attachments.
2. Verify the sender’s address: Check the email address of the sender to ensure it is legitimate.
3. Use security tools: Security tools, such as HEAT Shield, can help protect you from phishing attacks.
4. Stay informed: Keep up-to-date with the latest cyber threats and security best practices.

What is a URL shortener?

A URL shortener is a tool that allows you to create a shorter version of a long URL. URL shorteners are often used to share long links on social media or in other contexts where space is limited. However, URL shorteners can also be used to hide the destination of a link, making them a potential tool for attackers.

What is a HEAT attack?

A HEAT attack is a type of cyber attack that is designed to evade traditional security measures. HEAT attacks are often carried out in the browser and take advantage of the brands and domains that users instinctively trust, making it hard to tell they’re dangerous. HEAT attacks make up a significant portion of total browser-based phishing attacks.

What is Menlo Security’s HEAT Shield?

Menlo Security’s HEAT Shield is a security tool that is designed to catch HEAT attacks. HEAT Shield uses a combination of methods to detect and block HEAT attacks, helping to protect users from these sophisticated threats.