Summary:
A recent phishing campaign targeting the telecommunications and financial sectors has been identified, utilizing Google Docs to deliver malicious links that redirect victims to fake login pages hosted on Weebly. By leveraging trusted platforms, attackers evade detection and enhance user trust, leading to increased success rates. The campaign showcases tailored phishing tactics, including the use of multi-factor authentication (MFA) prompts to deceive victims. #PhishingCampaign #SocialEngineering #TrustExploitation
A recent phishing campaign targeting the telecommunications and financial sectors has been identified, utilizing Google Docs to deliver malicious links that redirect victims to fake login pages hosted on Weebly. By leveraging trusted platforms, attackers evade detection and enhance user trust, leading to increased success rates. The campaign showcases tailored phishing tactics, including the use of multi-factor authentication (MFA) prompts to deceive victims. #PhishingCampaign #SocialEngineering #TrustExploitation
Keypoints:
- Phishing campaign identified in late October 2024 targeting telecommunications and financial sectors.
- Attackers use Google Docs to deliver phishing links, redirecting victims to Weebly-hosted fake login pages.
- Customized lures include telecom-specific pages for AT&T and financial institution pages for US and Canadian users.
- Dynamic DNS is employed for subdomain rotation to keep phishing pages active and evade detection.
- Crafted MFA prompts mimic legitimate processes, enhancing the appearance of authenticity.
- Legitimate tracking tools like Sentry.io and Datadog are used to monitor victim engagement and refine phishing tactics.
- Attackers target telecom accounts using phishing and SIM swapping to bypass MFA protections.
- Phishing kits closely replicate legitimate login pages, capturing sensitive information through POST requests.
- Use of Google Docs provides advantages in evading detection and building trust with victims.
MITRE Techniques
- Phishing (T1566): Attackers use Google Docs to deliver phishing links that redirect to fake login pages.
- Credential Dumping (T1003): Captured credentials from phishing pages are used for unauthorized access.
- Exploitation of Trust Relationships (T1199): Attackers leverage trusted platforms like Weebly and Google Docs to enhance credibility.
- Multi-Factor Authentication (MFA) Bypass (T1111): Attackers replicate MFA prompts to deceive users into providing sensitive information.
- Domain Generation Algorithms (T1483): Dynamic DNS is used for subdomain rotation to maintain active phishing pages.
IoC:
- [domain] att-mail-102779[.]weeblysite[.]com
- [domain] umpquawoers-accessmail[.]weebly[.]com
- [url] hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vSMcWcXkT6Sj1zUSKwPxxorafu58YpjAd1mpi1oB1mbUpiMiQTvJDbD3zULJTTWvtpjXOvamDEBY5f3/pub?usp=embed_facebook
- [url] hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vRdrlMXfpcvp7a-cdFD6fU4qN6V6uo0JuHb8cW8VM5hJQ4lViEIN3_Q4CdtJGhfVYYMAMVz_MjHA8to/pub?usp=embed_facebook
- [url] hxxps://securedprofile-infosuckkk[.]weebly[.]com
- [url] hxxps://currently-att-8-2-2024[.]weeblysite[.]com
- [url] hxxps://telstra-webmail-login[.]weeblysite[.]com
- [url] hxxps://securebanklogin[.]weebly[.]com
- [tool] Sentry.io
- [tool] Datadog