Upcoming Webinar
Navigating Your Zero Trust Journey: Key Consideration and Best Practice for 2025
Icon Rounded Closed - BRIX Templates

Decoding a Google Drawings and WhatsApp open redirection phish

|

Open Redirect campaigns, like EvilProxy and Browser in the Browser, are an attack type that has been around for years. The threat is based on a user being sent to what appears to be a trusted website, then redirected to a site controlled by attackers. In this case, the attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim’s information. This attack is a great example of a Living Off Trusted Sites (LOTS) threat. 

How it works

This attack begins with a phishing email that directs the victim to a graphic that looks like an Amazon account verification link.

This graphic is actually hosted in Google Drawings, part of the Google Workspace suite, that allows users to collaborate on graphics. 

Such a site is not typically blocked by traditional security tools. Another thing that makes Google Drawings appealing in the beginning of the attack is that it allows users (in this case, the attacker) to include links in their graphics. Such links may easily go unnoticed by users, particularly if they feel a sense of urgency around a potential threat to their Amazon account. 

Digram depection of the attack chain with the step by step brakedown of phishing attack

When the victim clicks on the "Continue Verification" link, they are sent to what looks like an actual Amazon Sign-In page. In reality, that “Continue Verification” button link has been crafted using a WhatsApp URL shortener, "l.wl.co." While URL shorteners have benefits when used to communicate a lengthy link, they can also be used to hide the fact that they actually lead to a malicious site. 

We believe that "l.wl.co" was chosen because shortened WhatsApp links created with this service do not present any type of warning to the user that they are being redirected to a different site altogether. As an extra precautionary measure, the link created with the WhatsApp URL shortener is then appended with another URL shortener, "qrco[.]de," which is a URL shortener service for dynamic QR codes. We believe that this second step is designed to obfuscate the original link still further, in an effort to evade security URL scanners.

The redirected link takes the victim to what looks like an Amazon Sign-In page.

When the user enters their Amazon credentials, they are presented with four different pages, including: 

  • Security
  • Billing
  • Payments
  • Finish 

These pages are purportedly being used to perform a Security Checkup to protect the victim’s account. The victim’s credentials are collected as they fill out each of the four steps, and are sent to the attacker using different URL paths hosted in the same domain - /appswebpymentmanagebillinfoaccscure[.]tech2go[.]pro. 

This means that even if the victim changes their mind or stops in the middle of handing over this information, the attacker still gets vital data from every step that has already been completed.

The Security Checkup page asks the victim to present personal information, including their mother’s maiden name, their birthdate, and their phone number. Once that stage is completed, the victim is asked to click to continue, and they are taken to the Billing Checkup page.

The phished Billing page asks for the complete billing address associated with the victim's account, and they are then sent to the Payments Verification page. That page asks for credit or debit cards, along with the cardholder's name, the full card number, expiration date, and security code. The user is then taken to the Finish page while the information that they entered is “verified.”

The victim is then sent back to the original phished Amazon login page. This page looks real and presents several checks and conditions that mirror what an authentic site might request, including username format, password length, and proper credit/debit card information.

As is common with many phishing attacks, once the credentials have been entered and validated, the webpage is no longer accessible from the same IP address.

What you can do

It is tempting to believe that user education is the solution, but the facts tell a different story. While user security training is certainly helpful, it is a mistake to rely on training alone. There are simply too many different types of attacks. 

You could add more security tools, but Highly Evasive Adaptive Threats (HEAT) like this one, can still get through. These attacks are happening in the browser and are taking advantage of the brands and domains that users instinctively trust, making it hard to tell they’re dangerous. Today, evasive threats make up 30% of total browser-based phishing attacks. 

One of the best and most easily deployed methods of safeguarding users is the tool that we at Menlo Security used to catch this threat – Menlo HEAT Shield. HEAT Shield uses a combination of methods to catch threats like these including real-time AI analysis. This technology uses proprietary computer vision, dynamic risk scoring, object detection models, and analysis of web page elements to catch threats that users - and traditional security tools that rely on categorization - would never see. These checks are performed in real-time, providing high accuracy and enabling immediate response. Once caught, the threat is blocked and the website is reclassified. 

It’s important to note that Menlo captures phishing URLs similar to this one every day.

For even more information about a threat, such as phishing, we recommend Browsing Forensics. When configured to capture user sessions when an attack such as this one is observed, Browsing Forensics can deliver a detailed view into the user session itself. These captures include screens, which SOC teams can scroll through by simply pressing Play. Additional details include user inputs, and captures of the page resources themselves with information like Javascript, CSS, HTML, and more. This allows threat hunters to study an attacker’s methods, even if the web pages themselves are not available.

To see a full technical analysis breakdown, download it here.

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail