A phishing campaign targets telecom and financial sectors, where attackers leverage Google Docs with malicious links leading to Weebly-hosted fake login pages, as dynamic DNS keeps these pages active.Â
Phishing pages mimic real MFA workflows to bypass authentication and steal credentials. Attackers also integrate tracking tools like Sentry.io and Datadog to monitor victim interaction and refine their campaign for better results.
It leverages industry-specific login page replicas hosted on Weeblysite and Google Docs to target users in finance, telecommunications, and cybersecurity sectors by employing dynamic DNS to rotate URLs and extend campaign longevity.Â
By mimicking legitimate platforms and tailoring phishing content, the attackers bypass traditional security measures and increase the likelihood of successful attacks, potentially leading to data breaches and financial loss.
It exhibits a high degree of sophistication, using highly customized phishing pages that closely mimic legitimate brand login portals by leveraging legitimate tracking tools like Snowplow Analytics and Google Analytics to monitor victim engagement in real-time.
Attackers also employ fake MFA prompts that closely resemble authentic security steps, further increasing the effectiveness of their phishing attempts, which underscores the importance of advanced MFA defenses and user awareness to combat these evolving threats.
They launched a phishing campaign targeting telecom services with the goal of bypassing SMS-based MFA and used phishing sites mimicking legitimate login pages to steal user credentials.
Once obtained, these credentials allowed attackers to initiate SIM swaps on the victim’s account, effectively hijacking their phone number, which could then be used to intercept SMS-based MFA codes and complete account takeovers.
The campaign leveraged free services like Weebly for quick deployment and subdomain rotation to evade detection, where attackers used PICUS-themed lures to target security professionals and Google Docs to host phishing content, exploiting trust and bypassing traditional anti-phishing measures.
By targeting telecom and financial institutions, it initially used lookalike login pages, as their adaptable infrastructure suggests future attacks on other sectors by leveraging cloud collaboration tools for access, making detection difficult.
Analysis by EclecticIQ revealed shared IPs and domains across phishing sites, possibly abusing Weebly’s hosting, which hides malicious content within a trusted platform’s IP range.Â
To mitigate, organizations should use email filters to analyze cloud documents for phishing indicators, while proactive DNS monitoring with threat intelligence can identify suspicious Weebly and Google Docs domains.
Enforcing MFA, strong passwords, and user education on phishing tactics are crucial, and detection systems should be configured to identify phishing kit elements like embedded tracking tools.
