Hackers Exploiting Amazon, Google And IBM Cloud Services

Criminals are exploiting cloud storage services to host phishing websites for SMS scams by abusing the static website hosting feature of cloud storage to store HTML files with malicious URLs, which are included in SMS text messages that bypass firewalls because they contain trusted cloud platform domains. 

Clicking the link in the SMS directs users to a seemingly legitimate website hosted on cloud storage, which then redirects them to the phishing site to steal their information. 

Attackers are exploiting Google Cloud Storage by hosting a malicious webpage within a bucket, which leverages the “HTML meta refresh” technique, a web development function that automatically reloads or redirects the user to another webpage after a set time.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:Try Free Demo 

Spam emails contain links to this initial webpage hosted on Google Cloud Storage, tricking users into unknowingly visiting the malicious site. 

The attacker leverages Google Cloud Storage by creating a bucket named “dfa-b” to host a malicious HTML page, “dfmc.html,”  which exploits the “meta refresh” tag with a zero-second delay to redirect unsuspecting users to a different URL automatically. 

The URL that is the target of the attack probably contains more parameters for tracking or malicious purposes. 

Malicious actors leverage a meta refresh tag within SMS phishing messages to automatically redirect users to fraudulent websites (scam website landing page, page 2, page 3) disguised as legitimate gift card offers. 

The technique aims to steal personal and financial information, as the redirection utilizes cloud storage services like Google Cloud Storage, though Amazon Web Services and IBM Cloud are also exploited for similar scams.  

Scammers increasingly leverage cloud storage services like Amazon AWS, IBM Cloud, and Blackblaze B2 Cloud to conduct phishing attacks via SMS, as these messages contain links that appear to be legitimate cloud storage URLs. 

However, clicking the link directs users to malicious static websites designed to steal personal information. Upon clicking the link, the user might be automatically redirected to a website that impersonates a popular platform, such as a bank login page. 

According to Enea, the technique allows scammers to bypass security filters because the initial link originates from a trusted cloud provider, making it seem more credible, which increases the success rate of these phishing attempts as users are less likely to suspect a link from a legitimate cloud service provider.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Sign up for free.