Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Beyond the Facade: Unraveling URL Redirection in Google Services

In the murky waters of cyber threats, one tactic has steadily gained wide adoption: URL redirection in phishing attacks. This stealthy technique allows cybercriminals to cloak malicious links, making them appear harmless to unsuspecting users. Among the vast expanse of online services, various Google Services stand out as frequent targets for exploitation. Cybercriminals find it opportune ground to hide their nefarious intents behind seemingly innocuous links.

In the third quarter of 2023, a notable surge in phishing attacks surfaced that leveraged Google AMP (Accelerated Mobile Pages) and Google Apps Scripts to facilitate the attack. Google AMP is a developer framework offered by Google specifically for crafting quick-loading web pages for mobile devices. On the other hand, Google Apps Scripts is a scripting language for extending the functionality of various Google Workspace Apps like Google Sheets, Google Docs, and Google Drive. The attackers ingeniously use the developer URLs associated with these services as redirectors, creating a veil for their phishing websites.

In this first sample, the phishing email disguises itself as a Microsoft SharePoint notification about a shared file, which can be accessed through the link provided. Based on keywords used in the title of this supposed shared file, it appears that it contains information about a financial transaction that would benefit the victim/recipient.

 

Picture1

Figure 1: Phishing email disguising as a SharePoint notification.

 

Picture1-1

Figure 2: URL extracted from Figure 1 which leverage Google AMP as a redirector.

 

The visible link (Figure 2) in the email sample (Figure 1) redirects to another cloud storage service (Figure 3) owned by Swarm Foundation for the use of Ethereum, a form of cryptocurrency.

 

Picture2-1

Figure 3: URL redirection of Figure 2 which leverage the storage service of Swarm Foundation.

 

This second sample, similar to the first, is where the emulated template notifies its user of a financial transaction, that of a failed payment.

 

Picture2

Figure 4: Phishing email disguising as a Zoominfo notification.

 

Picture4-1

Figure 5: URL extracted from Figure 4 which leverage Google AMP as a redirector.

 

The visible URL (Figure 5) redirects to another web service called Azure Front Door, a Content Delivery Network (CDN) from Microsoft that offers fast and reliable access to web content.

 

Picture6-1

Figure 6: URL redirection of Figure 5 which leverage Microsoft's Azure Front Door service.

 

In the third sample, we can see an email sample disguised as a system upgrade notification instructing its victim to update their account by signing in through the link provided. This time, the threat actor leveraged another service called Google Apps Scripts. Google had already taken down the malicious macro code by the time we got our hands on the sample; however, while the URL is clearly out of place in notifications like this and is sure to raise red flags, it can still pass as legitimate to an untrained eye.

 

Picture3

Figure 7: Phishing email disguised as a system update notification.

 

Picture8

Figure 8: URL extracted from Figure 7 which leverage Google Apps Scripts.

 

Though we couldn't inspect the landing pages in the provided samples due to the URLs being taken down, the added complexity resulting from the involvement of genuine services in the redirection chain demands our attention. Google, among various other legitimate online services, is exploited by threat actors to sidestep email filters. The use of authentic domains not only provides a false sense of security but also lures unsuspecting victims into clicking on links, making this approach increasingly favored in phishing attacks.

It becomes crucial to heighten awareness by anticipating a surge in such tactics over time. Staying informed is key to protecting oneself against these evolving threats. Remain watchful and informed to better shield against these deceptive maneuvers.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More