Threat Actor Leveraged Google Docs and Weebly Services to Target Telecom and Financial Sectors
Summary:
A phishing campaign targeting telecommunications and financial sectors was identified in October 2024 by EclecticIQ analysts. The attackers utilized Google Docs to deliver phishing links, which redirected victims to fake login pages hosted on Weebly, a trusted website builder. By leveraging Google’s domain for initial delivery, the attackers bypassed traditional email filters and endpoint protections, capitalizing on trusted platforms to increase user engagement and evade detection. Weebly’s reputation and low-cost hosting make it an attractive option for financially motivated threat actors. Using Weebly’s infrastructure, attackers avoided the complexity of self-hosting servers and reduced scrutiny from anti-phishing tools. The campaign demonstrated advanced techniques such as dynamic DNS for subdomain rotation, mimicking real MFA workflows, and incorporating legitimate tracking tools to refine phishing tactics and extend campaign longevity.
The phishing pages were customized to replicate industry-specific portals, such as AT&T webmail and financial institution login screens, targeting users in the U.S., Canada, EMEA, and AMER regions. These tailored designs enhanced credibility, leveraging familiarity with brand-specific interfaces to deceive victims. Attackers also targeted security professionals with phishing lures mimicking content from PICUS, a cybersecurity training tool, further showcasing the campaign's adaptability.
Security Officer Comments:
Key tactics included using realistic MFA prompts to bypass authentication and deploying tracking tools to analyze victim interaction and engagement. Additionally, attackers leveraged SIM swapping techniques, particularly against telecom accounts, to intercept SMS-based MFA codes and maintain unauthorized access. This highlights the need for stronger security measures, such as app-based MFA, to mitigate these risks. The campaign's infrastructure relied heavily on Google Docs and Weebly for delivery and hosting, with dynamic DNS enabling frequent subdomain changes. Analysis revealed clusters of phishing domains tied to a single IP address within Weebly’s hosting services, suggesting an abused segment of their infrastructure.
Suggested Corrections:
Researchers at EclecticIQ have recommended the following mitigations:
Link(s):
https://blog.eclecticiq.com/financi...vices-to-target-telecom-and-financial-sectors
A phishing campaign targeting telecommunications and financial sectors was identified in October 2024 by EclecticIQ analysts. The attackers utilized Google Docs to deliver phishing links, which redirected victims to fake login pages hosted on Weebly, a trusted website builder. By leveraging Google’s domain for initial delivery, the attackers bypassed traditional email filters and endpoint protections, capitalizing on trusted platforms to increase user engagement and evade detection. Weebly’s reputation and low-cost hosting make it an attractive option for financially motivated threat actors. Using Weebly’s infrastructure, attackers avoided the complexity of self-hosting servers and reduced scrutiny from anti-phishing tools. The campaign demonstrated advanced techniques such as dynamic DNS for subdomain rotation, mimicking real MFA workflows, and incorporating legitimate tracking tools to refine phishing tactics and extend campaign longevity.
The phishing pages were customized to replicate industry-specific portals, such as AT&T webmail and financial institution login screens, targeting users in the U.S., Canada, EMEA, and AMER regions. These tailored designs enhanced credibility, leveraging familiarity with brand-specific interfaces to deceive victims. Attackers also targeted security professionals with phishing lures mimicking content from PICUS, a cybersecurity training tool, further showcasing the campaign's adaptability.
Security Officer Comments:
Key tactics included using realistic MFA prompts to bypass authentication and deploying tracking tools to analyze victim interaction and engagement. Additionally, attackers leveraged SIM swapping techniques, particularly against telecom accounts, to intercept SMS-based MFA codes and maintain unauthorized access. This highlights the need for stronger security measures, such as app-based MFA, to mitigate these risks. The campaign's infrastructure relied heavily on Google Docs and Weebly for delivery and hosting, with dynamic DNS enabling frequent subdomain changes. Analysis revealed clusters of phishing domains tied to a single IP address within Weebly’s hosting services, suggesting an abused segment of their infrastructure.
Suggested Corrections:
Researchers at EclecticIQ have recommended the following mitigations:
- Email Filtering for Cloud-Shared Documents: Deploy advanced email filtering solutions that analyze the content of cloud-shared documents, like Google Docs, for suspicious links and indicators of phishing. Configure the filters to detect patterns such as unusual document sharing from unknown senders or requests to access sensitive information via embedded links.
- Proactive DNS Monitoring: Implement a DNS monitoring system that watches for the registration of new domains related to Weebly and Google Docs. Use keyword-based alerts (e.g., "login," "secure access") and threat intelligence feeds to flag newly registered domains or subdomains that could be impersonating legitimate services.
- Mandatory Multi-Factor Authentication (MFA) and Credential Hygiene: Enforce MFA across all user accounts and mandate strong, regularly updated passwords. Educate users on avoiding password reuse and recognizing phishing attempts, especially on platforms commonly targeted by attackers.
- Detection of Phishing Kit Artifacts: Configure detection systems to identify known phishing kit artifacts, such as embedded tracking tools (e.g., Sentry.io, Datadog) within login pages. Use these indicators to flag potentially malicious pages early in their lifecycle, as attackers often leverage these tools to monitor victim engagement and refine their phishing strategies.
Link(s):
https://blog.eclecticiq.com/financi...vices-to-target-telecom-and-financial-sectors