Using SMS, threat actors are exploiting these cloud platforms to redirect users to malicious websites, with the ultimate objective of stealing their information
An investigation by telco software and cyber specialist Enea has revealed how SMS scammers are using AWS, Google Cloud and IBM Cloud Services to steal customer data.
“A number of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage, have recently come to Enea’s attention,” said Enea threat intelligence manager Manoj Kumar in a blog post. “Threat actors are using these storage platforms to redirect users to malicious websites, with the ultimate objective of stealing their information, and it all starts with the humble SMS.”
According to Kumar, the attackers coordinating these campaigns appear to be prioritising two basic objectives: to ensure scam text messages are delivered to handsets without detection by network firewalls; and convince end users to perceive delivered messages or links as trustworthy.
Exploiting cloud storage
Cloud Storage enables organisations or Individuals to store, access, and manage a range of files. It can also be used to host static websites, by storing the website’s HTML, CSS, JavaScript, and other assets in a storage bucket and configuring the cloud storage service to present these files as a website. This approach is suitable for static websites that don’t require server-side processing or dynamic content generation.
Kumar said cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .html files) containing embedded spam URLs in their source code. The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions.
“When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket,” he said. “This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user’s awareness.”
Kumar details the procedure using the URL “storage.googleapis.com” – the domain used by Google Cloud Storage. “Attackers are using a URL constructed with this domain to link to a static webpage being hosted in a bucket on the Google Cloud Storage platform. The spam website is then loaded from that static webpage using the “HTML meta refresh” method,” he said. HTML meta refresh is a technique used in web development to automatically refresh or redirect a web page after a certain time.
On the blog he provides examples of spam messages linking to Google Cloud Storage. The key is that each has a tag that will instruct the browser to refresh the page and redirect to the specified URL in 0 seconds. “That means without our consent,” he said. Users end up on a fraudulent website pretending to offer gift cards to trick users into revealing personal and financial information.
“We have also observed SMS spam messages containing links to static websites hosted on Amazon Web Services (AWS), IBM cloud and other storage platforms, with similar techniques being used to redirect the user to a scam website,” he added.
Mitigating these SMS scams
Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning. “Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies,” said Kumar.
He added that user behaviour can be used to help address this challenge. “We know how URLs linking to storage platforms are used in normal circumstances. It will often be an individual sharing a specific link with another individual or small group of individuals – friends sharing photos, a colleague sharing a file, etc,” he said. “Therefore, we know that URLs of this kind being used for genuine purposes are not going to be associated with the aggressive SMS traffic linked to spam campaigns.”
He explained: “Enea’s detection of suspicious activity related to URLs is facilitated through the analysis of traffic behavior, in addition to proven URL inspection methods. This analysis involves reviewing the origins of the traffic as well as the specific destinations it targets. Additionally, consideration is given to the nature of the content being accessed and the underlying intentions of the webpages in question.”
Some of the traps that can successfully be used to capture suspicious traffic leverage metrics such as traffic volume, content and behavioral patterns to identify and address potentially malicious activity.