Security researchers have revealed a series of criminal campaigns that exploit cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage.
These campaigns, driven by unnamed threat actors, aim to redirect users to malicious websites to steal their information using SMS messages.
According to a technical write-up published by Enea today, the attackers have two primary goals.
First, they want to ensure that scam text messages are delivered to mobile handsets without detection by network firewalls. Second, they seek to convince end users that the messages or links they receive are trustworthy.
By leveraging cloud storage platforms to host static websites with embedded spam URLs, attackers make their messages appear legitimate and avoid common security measures.
Cloud storage services allow organizations to store and manage files and host static websites by storing website assets in a storage bucket. Cybercriminals have exploited this capability by embedding spam URLs in static websites stored on these platforms.
They distribute URLs linking to these cloud storage sites via SMS, which often bypass firewall restrictions due to the perceived legitimacy of well-known cloud domains. Once users click on these links, they are redirected to the malicious sites without their knowledge.
For instance, the Google Cloud Storage domain “storage.googleapis.com” was used by attackers to create URLs that link to spam sites. The static webpage hosted in a Google Cloud bucket employs HTML meta refresh techniques to redirect users to scam sites immediately. This method allows cybercriminals to lure users to fraudulent websites that often mimic legitimate offers, such as gift card promotions, to steal personal and financial information.
Enea has also observed similar tactics with other cloud storage services like Amazon Web Services (AWS) and IBM Cloud, where URLs in SMS messages lead to static websites hosting spam.
To defend against threats like these, Enea recommended monitoring traffic behavior, inspecting URLs and being wary of unexpected messages containing links.