Phishing hackers have turned their attention to the Glitch platform. It appears that cybercriminals are aggressively abusing the service to use it to host free phishing sites that steal passwords. Employees of large corporations and firms that collaborate with the Middle East are among those targeted.
A report on this issue was published by DomainTools researchers; the phishing campaign, according to which, began in July 2021 and is currently ongoing.
The threat actors work in the following manner:
• They send e-mail messages with PDF-based attachments that contain no harmful code to bypass antivirus alarms;
• Instead, a particular link may be located in these PDFs and this link directs to a malicious website hosted on the Glitch platform;
• In a total of 70 PDFs, researchers discovered several of these categories.
•The particularities about these PDFs were the unique URL and the e-mail correlated with each of them. All these links are related to different “red.htm” pages hosted by Glitch.
• Instead, a particular link may be located in these PDFs and this link directs to a malicious website hosted on the Glitch platform;
• In a total of 70 PDFs, researchers discovered several of these categories.
•The particularities about these PDFs were the unique URL and the e-mail correlated with each of them. All these links are related to different “red.htm” pages hosted by Glitch.
Glitch stands basically for a cloud-based hosting service. To deploy apps and websites, people can utilize Node.js, React, or a variety of dev platforms. In the context of a weak point, BleepingComputer pointed out, the Glitch platform's free edition, which allows users to create an app or a page, appears to be vulnerable to phishing attacks. They can also make it accessible for 5 minutes on the web. After the 5 minutes have passed, the user needs to manually enable this.
Some aspects, such as the fact that Glitch's domains are considered favorably by security systems owing to the platform's legitimacy and the free version that is a path for threat actors to host their short-lived malicious URLs, constitute the perfect combination for threat actors.
Furthering the investigation, the researchers discovered a Glitch website linked to a commercial malware sandbox service. It contained a screenshot of a phishing login page of Microsoft SharePoint.
Following the finding of the PDF that directed the researchers to that website, other HTLM documents associated with that sample were identified once it was submitted to Virus Total. After the pages were withdrawn, obfuscated JavaScript was discovered. These code pieces passed through the malicious Worpress sites and were then exploited to steal passwords.
The researchers alerted Glitch about the situation, but no response has yet been received from the firm.