Hackers use Google Drawings to help evade detection.
There’s nothing new about using site redirection to try and fool a victim into giving up their credentials. However, this newly uncovered attack takes the deception to new levels by using Google Drawings and an unofficial WhatsApp link shortened to get access to Amazon accounts.
Ashwin Vamshi, a researcher with Menlo Security, has published details of how hackers are taking social engineering to new levels through a phishing exploit that uses interesting methods to evade detection. The ultimate target? Your Amazon account credentials, including your login details and payment card information.
Here’s how it goes down so as you know what to watch for.
Menlo Security Researcher Details New Living Off Trusted Sites Exploit Kill Chain
Like so many, this latest LOTS attack begins with a relatively simple email that attempts to get the potential victim to click on a fake link purporting to be from Amazon. The user is then presented with what appears to be an Amazon account verification link, required to protect the victim from ‘unusual account activity.” This verification link is actually a graphic that is hosted at Google Drawings, which is part of the Google Workspace suite of programs. Google Drawings enables collaboration between users on graphics and is used here because not only does it enable links to be embedded within the drawing itself, but also many security tools will not block this kind of collaborative tool. “Such links may easily go unnoticed by users,” Vamshi warned, “particularly if they feel a sense of urgency around a potential threat to their Amazon account.”
If the user does get fooled and clicks on that verification link in the graphic, they will be sent to what appears to be a genuine Amazon account login page. The verification link itself is the second part of the kill chain here, and appears to use an unofficial WhatsApp URL shortener to obfuscate the true destination.
What Happens When The Victim Arrives At The Fake Amazon Page?
The final step of the LOTS exploit kill chain is arriving at that fake but convincing Amazon account login page. Once here, having entered their account credentials, the victim is met with what appears to be a security checkup process. If the user has been filled so far, that’s exactly where they would expect to be taken after all. In fact, it’s nothing of the sort and opens up the mark to four additional information-gathering exploits.
The security checkup page itself gathers information such as date of birth and phone number before asking the user to proceed to the billing check page. Here, they are met with a form asking for confirmation of the billing address and then passed onto what appears to be a payment verification page. This gets the user to enter full payment card information, including the security code from the back of the card.
Even if alarm bells start ringing loudly at this stage, the threat actor will already have the previous data as the completed forms are sent using different URL paths hosted in the same domain.
If no alarms have sounded, the unsuspecting victim is returned to the original login page having passed the ‘verification’ checks.
Protecting Yourself Against LOTS Attacks
A full technical breakdown of the exploit kill chain can be found here, but for most people that’s not going to help protect against this type of LOTS threat. The Federal Trade Commission offers plenty of practical anti-phishing advice and I’d recommend reading that for starters. For me, the most important thing being that an email, text message or phone call urging you to take any action because of ‘unusual activity’ should be treated with the utmost caution. Never follow links, or call phone numbers, provided by this type of contact. Instead, use the official address where you would login to your account and check if there is any warning there. If not, then you’ve just avoided being conned.
An Amazon spokesperson issued the following statement: “Scammers that attempt to impersonate Amazon put consumers at risk. We will continue to invest in protecting consumers and educating the public on scam avoidance. We encourage consumers to report suspected scams to us so that we can protect their accounts and refer bad actors to law enforcement to help keep consumers safe. Please visit our help pages to find additional information on how to identify scams and report them.”
I have reached out to Google and WhatsApp for further comment.