Researchers have uncovered a sophisticated phishing campaign that exploits the trust users place in well-known websites like Google Drawings and WhatsApp.
This attack, categorized by Menlo Security as a "Living Off Trusted Sites" (LOTS) threat, cleverly manipulates these legitimate platforms to deceive victims into surrendering their personal and financial information.
The attack begins with a phishing email that directs recipients to what appears to be an Amazon account verification link. However, this link is a deceptive graphic hosted on Google Drawings, a component of the Google Workspace suite.
This service is typically not flagged by traditional security tools, making it an attractive choice for attackers. The graphic contains a link that, when clicked, initiates the phishing scheme by redirecting the user through a series of shortened URLs, ultimately leading to a fake Amazon sign-in page.
To obscure their intentions further, the attackers utilize a WhatsApp URL shortener, "l.wl.co," which does not display warnings about redirects. The link is then further shortened using "qrco[.]de," a dynamic QR code service, making it even harder for security scanners to detect the malicious site.
Once the victim arrives at the counterfeit Amazon page, they are prompted to enter sensitive information across several steps, including login credentials, personal details, billing information and payment card data.
"The victim's credentials are collected as they fill out each of the four steps and are sent to the attacker using different URL paths hosted in the same domain," Menlo explained. "Even if the victim changes their mind or stops in the middle of handing over this information, the attacker still gets vital data from every step that has already been completed."
According to Menlo Security, the sophistication of this attack underscores the limitations of relying solely on user education and conventional security tools to prevent phishing.
"It is tempting to believe that user education is the solution, but the facts tell a different story. While user security training is certainly helpful, it is a mistake to rely on training alone. There are simply too many different types of attacks," the company wrote.
Instead, the security experts emphasized the need for advanced protective measures, such as real-time AI analysis, to detect and neutralize such threats effectively.