When trust goes phishing, no inbox is safe. Attackers have taken phishing to the next level by abusing household names like Google Docs and Weebly (a legitimate, user-friendly website builder service) to trick victims into handing over their credentials. In this clever con, Google Docs serves the bait, and Weebly hosts the trap, making it harder than ever to spot the red flags.
This campaign is a masterclass in social engineering, preying on the inherent trust users place in big-name platforms. With tailored phishing lures mimicking AT&T, U.S. banks, and even security training tools, the attackers have their hooks in deep. From fake MFA prompts to SIM-swapping shenanigans, it’s a phishing storm ready to reel in unsuspecting victims.
Key Observations
Infrastructure Abuse:
· Delivery Vector: Google Docs presentations with embedded phishing links redirect victims to fake login pages on Weebly-hosted domains.
· Dynamic DNS Usage: Subdomain rotation helps attackers prolong phishing campaigns by evading blacklists.
Sophisticated MFA Phishing:
· Fake MFA prompts replicate legitimate workflows, such as access-code entry screens, to lure victims into a false sense of security.
Tracking Tool Integration:
· Legitimate tools like Sentry.io, Datadog, and Google Analytics are embedded to monitor user interactions, improving phishing success rates.
Tailored Lures:
· Customized phishing pages mimic telecom (e.g., AT&T) and financial (e.g., Canadian banks) login portals, enhancing credibility.
Targeting Cybersecurity Professionals:
· PICUS-themed phishing pages masquerade as security training content, potentially compromising highly privileged accounts.
SIM Swapping:
· Phishing of telecom accounts enables attackers to perform SIM swaps, intercepting SMS-based MFA codes and facilitating account takeovers.
Recommendations
1. Enhance Detection Mechanisms
· Deploy email filters to analyze embedded links within cloud-shared documents like Google Docs. Flag unusual document-sharing patterns from external sources.
· Monitor for domains with keywords such as “secure,” “login,” and “access” associated with trusted platforms like Weebly.
2.Strengthen MFA Protections
· Transition from SMS-based MFA to app-based or hardware-based solutions to mitigate SIM-swapping risks.
· Incorporate adaptive MFA that flags login attempts from new geolocations or unusual devices.
3.Raise Awareness
Conduct targeted phishing awareness training emphasizing:
· Risks of trusting Google Docs links.
· Recognizing authentic MFA workflows.
4.Proactively Monitor Infrastructure
· Use threat intelligence platforms (TIPs) to identify and block malicious subdomains and IPs tied to Weebly-hosted phishing campaigns.
5.Investigate Tracking Artifacts
· Identify phishing kits embedding Sentry.io or Datadog scripts. Cross-reference with known malicious configurations to detect campaigns early.
.png)
.png)