Criminals are misusing cloud storage services to host phishing websites for SMS scams by using cloud storage’s static website hosting feature to store HTML files with malicious URLs, which SMS includes text messages. Bypass firewalls. Because they have trusted cloud platform domains.

Clicking on a link in the SMS takes users to a seemingly legitimate website hosted on cloud storage, which then redirects them to a phishing site to steal their information.

Attackers are exploiting. Google Cloud Storage By hosting a malicious web page inside a bucket, which exploits the “HTML meta refresh” technique, a web development function that automatically reloads or redirects the user after a set amount of time.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:Try Free Demo 

Spam emails contain links to this initial web page hosted on Google cloud storage, tricking users into unknowingly visiting a malicious site.

Examples of spam messages

The attacker exploits Google Cloud Storage by creating a bucket named “dfa-b” to host a malicious HTML page “dfmc.html”, which takes zero seconds to redirect unsuspecting users to another Leverages the “meta-refresh” tag with a delay of URL automatically.

The URL that is the target of the attack contains more parameters, possibly for tracking or malicious purposes.

Malicious actors exploit the meta-refresh tag in SMS phishing messages to automatically send users to fraudulent websites (Scam Website Landing Page, page 2, page 3) disguised as legitimate gift card offers. should be sent.

The technique aims to steal personal and financial information, as the redirect uses cloud storage services such as Google Cloud Storage, although Amazon Web Services and IBM Cloud are also exploited for similar scams.

Scam SMS containing a link to a static website hosted on Amazon AWS

Scammers increasingly take advantage of cloud storage services such as Amazon AWS, IBM Cloud, and Blackblaze B2 Cloud to conduct phishing attacks via SMS, as these messages contain links that are legitimate cloud storage URLs.

Scam SMS containing a link to a static website hosted on BlackBlaze B2 Cloud

However, clicking on the link redirects users to malicious static websites designed to steal personal information. Upon clicking the link, the user may be automatically redirected to a website that mimics a popular platform, such as a bank login page.

According to Aeneas, the technique allows scammers to bypass security filters because the initial link originates from a trusted cloud provider, making it appear more credible, increasing the success rate of these phishing attempts because users are less likely to suspect a link to a legitimate cloud service provider. .

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Sign up for free.

Source link