Security researchers discovered several illicit campaigns that use cloud storage systems like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage. Unnamed threat actors are behind these attacks, which try to divert customers to malicious websites to steal their information via SMS messages.
Campaign details
The campaigns involve exploiting cloud storage platforms such as Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage. Unnamed threat actors are behind these campaigns. Their primary goal is to redirect users to malicious websites using SMS messages.
Attack objectives
Bypassing Network Firewalls: First, they want to ensure that scam text messages reach mobile handsets without being detected by network firewalls. Second, they attempt to persuade end users that the communications or links they receive are legitimate.
Building Trust: They aim to convince end users that the messages or links they receive are trustworthy. By using cloud storage systems to host static websites with embedded spam URLs, attackers can make their messages appear authentic while avoiding typical security safeguards.
Cloud storage services enable enterprises to store and manage files and host static websites by storing website components in storage buckets. Cybercriminals have used this capacity to inject spam URLs into static websites hosted on these platforms.
Technique
They send URLs referring to these cloud storage sites by SMS, which frequently avoids firewall limitations due to the apparent authenticity of well-known cloud domains. Users who click on these links are unknowingly sent to dangerous websites.
Execution
For example, attackers utilized the Google Cloud Storage domain "storage.googleapis.com" to generate URLs that lead to spam sites. The static webpage housed in a Google Cloud bucket uses HTML meta-refresh techniques to route readers to fraud sites right away. This strategy enables fraudsters to lead customers to fraudulent websites that frequently replicate real offerings, such as gift card promotions, to obtain personal and financial information.
Enea has also detected similar approaches with other cloud storage platforms like Amazon Web (AWS) and IBM Cloud, in which URLs in SMS messages redirect to static websites hosting spam.
Defense recommendations
To protect against such risks, Enea advised monitoring traffic activity, checking URLs, and being cautious of unexpected communications including links.
