Netskope Threat Research Labs has recently discovered a new technique being used by scammers to reach potential victims: send emails and SMS messages that include links to common services, such as AWS, Azure, Alibaba cloud, and Google Docs. We have seen this technique used for well-known scams, like fake pharmacies, dating sites, and tech support, which seek to steal PII or blackmail victims. This post provides some specific examples of attackers using this technique and explores the reasons why we are seeing it gain popularity.
Tech Support Scams hosted on IaaS Object Storage Services
We have seen tech support scams hosted in Alibaba, AWS, and Azure, with scammers quickly rotating from one object store to another, using seemingly arbitrary names. Figure 1 shows some of the static store URL examples that were hosting these scams at the time of writing. Figure 2 shows an example page hosted at one of these URLs. In this example, a fake Microsoft support page encourages the victim to phone in for support. It would then apply social engineering techniques to gain credit card information. Netskope Advanced Threat Protection detects these attacks as Trojan.Cryxos.1726.
The ease of rapidly switching to new URLs and cheap hosting cost makes services such as Alibaba, AWS, and Azure a viable target for the scammers. The object store names can be randomly generated using a DGA (domain generation algorithm) to make shutting down the scams difficult. Attackers can also use compromised accounts or incorrectly configured object stores to host the payloads.
Use of Google Docs in Smishing and Phishing
In another example, we noticed scammers abusing Google Docs to create presentations and sharing them through phishing and smishing (SMS text message based Phishing). The presentations serve as a bait to hide a malicious link behind it. Figure 3 shows one such example email and SMS message.