Latest Email Fraud Utilizes Google Sketches and WhatsApp Briefened Links
A recent revelation from cyber researchers uncovers an innovative fraudulent scheme that takes advantage of Google Sketches and truncated links created through WhatsApp to avoid detection and deceive individuals into tapping on misleading links aimed at pilfering confidential data.
“The assailants handpicked a range of well-known technology websites to fashion the peril, including Google and WhatsApp for hosting the assault components, and an Amazon doppelganger to collect the victim’s details,” expressed Ashwin Vamshi, a researcher at Menlo Security noted. “This assault is a prime instance of a Living Off Trusted Sites (LoTS) threat.”
The initial phase of the deceit entails an email scam guiding the recipients to an illustration that mimics an Amazon account verification link. This illustration is hosted on Google Sketches, apparently to dodge detection.
Exploiting legitimate services provides attackers with evident advantages as they present a cost-effective solution and, more significantly, they offer a secretive means of communication within networks, as they are less likely to be obstructed by security tools or firewalls.
“One more aspect that renders Google Sketches attractive at the onset of the assault is its capability for users (in this scenario, the attacker) to embed links in their graphics,” Vamshi explained. “Such links might easily elude users, especially if they sense an urgency surrounding a likely threat to their Amazon account.”
Recipients who unknowingly click on the verification link are directed to a counterfeit Amazon login page, with the URL being gradually fashioned using two distinct URL abbreviators — WhatsApp (“l.wl[.]co”) succeeded by qrco[.]de — to add an additional layer of camouflage and dupe security URL scanners.
The counterfeit page is devised to capture login credentials, personal information, and credit card particulars, followed by redirecting the victims to the authentic phished Amazon login page. Additionally, the webpage becomes inaccessible from the same IP address once the credentials have been confirmed.
This exposure arrives as researchers uncover a loophole in Microsoft 365’s anti-fraud mechanisms that could be exploited to heighten the probability of users opening fraudulent emails.
The tactic involves using CSS manipulation to conceal the “First Contact Safety Tip,” which alerts users when they receive emails from an unfamiliar address. Microsoft, having acknowledged the problem, is yet to provide a solution.
“The First Contact Safety Tip is added to the beginning of an HTML email body, allowing for potential alteration of its display using CSS style tags,” stated Austrian cybersecurity firm Certitude commented. “Taking it a step further, we can imitate the icons Microsoft Outlook appends to emails that are encrypted and/or signed.”
About Author
