A sophisticated phishing campaign targeting the telecommunications and financial sectors has been uncovered recently by the cybersecurity researchers at EclecticIQ in late October 2024.
The attackers employed a cunning strategy, utilizing Google Docs to deliver phishing links that redirected victims to fake login pages hosted on Weebly, a popular website builder service.
The threat actors exploited the trusted reputation of Google’s domain to bypass standard email filters and endpoint protections.
By embedding malicious links within Google Docs, the attackers leveraged the inherent trust associated with widely used platforms, increasing the likelihood of user engagement.
Security analysts at EclecticIQ discovered that Weebly’s legitimate infrastructure played a crucial role in this campaign:-
- Low-cost hosting and ease of use made it attractive to financially motivated threat actors
- Its established reputation helped evade anti-phishing scanners
- Attackers could avoid the complexity of self-hosted servers
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Technical Analysis
The campaign demonstrated a high level of customization, with phishing pages meticulously designed to mimic login portals of specific brands such as AT&T and various financial institutions.
.webp)
This industry-specific approach increased the credibility of phishing lures, as victims were more likely to trust interfaces aligned with their work environment.
Here below we have mentioned all the key features of the campaign:-
- Use of Weeblysite domains (e.g., att-mail-102779[.]weeblysite[.]com)
- Customized phishing pages for multiple sectors
- Dynamic DNS infrastructure for frequent URL rotation
- Targeting of both EMEA and AMER regions
.webp)
To increase success rates, attackers implemented fake Multi-Factor Authentication (MFA) prompts that closely replicated legitimate security steps. For instance, the secured1st-accesscode[.]weebly[.]com page prompted victims to enter a “secure access code,” mimicking genuine MFA workflows.
The phishing pages incorporated legitimate tracking tools such as Snowplow Analytics and Google Analytics. These tools allowed attackers to monitor victim engagement, collect interaction data, and refine their phishing techniques over time.
In addition to phishing, attackers targeted telecom accounts with SIM swapping techniques. By obtaining telecom account credentials, they could initiate SIM swaps, intercepting SMS-based MFA codes and other communications tied to victims’ accounts.
The phishing kits utilized HTML forms that closely mimicked legitimate login pages for targeted brands. Attackers leveraged Weebly’s quick deployment features and dynamic DNS for subdomain rotation to evade detection.
To counter such sophisticated attacks, organizations should implement:-
- Advanced email filtering for cloud-shared documents
- Proactive DNS monitoring
- Mandatory Multi-Factor Authentication (MFA) and credential hygiene
- Detection systems for phishing kit artifacts
Experts urged that organizations must remain vigilant and adapt their security measures to combat these advanced phishing tactics.
IoCs
.webp)
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free