Threat Research

Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing

Securonix

Attackers continue to abuse Google Sites and Microsoft Azure Web Apps to host cryptocurrency phishing campaigns targeting major wallets and exchanges, with new pages and targets emerging over time. The operation relies on two stages—SEO-driven first pages and second-stage pages hosted on cloud services—and even includes live chat to extract additional data. #GoogleSites #AzureWebApps #Coinbase #MetaMask #Binance #CryptoCom #Gemini #Kraken #Shakepay #PancakeSwap

Keypoints

  • Phishing pages are hosted on Google Sites (first stage) and Microsoft Azure Web Apps (second stage) to impersonate wallets/exchanges and steal credentials.
  • The attack flow starts with the victim finding a crypto site via search, where the phishing page appears among the top results (SEO-driven lure).
  • The first page mimics the real site and redirects victims to a second-stage page through links within the page.
  • The second-stage page is designed to harvest sensitive data (credentials, recovery phrases) and often includes a live web chat to obtain more info.
  • Analysts observed attacker resilience: many second-stage URLs were taken down, but first-stage URLs remained online or were reused with new second-stage links.
  • New targets appeared: Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, Shakepay, with Crypto.com showing a functional two-stage flow and Azure hosting for the second stage.
  • Two-stage hosting and URL replacement increase operational resilience, allowing rapid redeployment when pages go offline.
  • Defensive guidance recommends direct URL access and real-time phishing blocking via secure web gateways and threat intelligence.

MITRE Techniques

  • [T1566.003] Phishing via Service – Attackers host phishing content on legitimate services (Google Sites and Azure Web Apps) to run a multi-page phishing campaign. “The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.”
  • [T1566.001] Phishing: Spearphishing Link – The first phishing page mimics the original site and redirects victims to a second-stage page via links within the page. “The first phishing page mimics the original website and contains a lot of elements to boost SEO. This stage redirects the victim to another phishing website via links within the page.”

Indicators of Compromise

  • [URL] First-stage phishing pages hosted on Google Sites – hxxps://sites.google[.]com/crypto-coinexchange.com/geminiexchangee/home, hxxps://sites.google[.]com/cryptocomlog.com/crypto-com-login/home
  • [URL] Second-stage phishing pages hosted on Azure Web Apps – hxxps://caerytos-log.azurewebsites[.]net/, hxxps://coainasbe-log.azurewebsites[.]net/
  • [Domain] Google Sites domain – sites.google[.]com
  • [Domain] Azure Web Apps domain – azurewebsites[.]net

Read more: https://www.netskope.com/es/blog/attackers-continue-to-abuse-google-sites-and-microsoft-azure-to-host-cryptocurrency-phishing