Google Drawing Phishing Scam – Malware

Overview

Phishing scams are continuously evolving, with cybercriminals becoming increasingly adept at leveraging trusted platforms and services to deceive victims. One such scam, involving Google Drawings, exemplifies how attackers can craft highly convincing phishing campaigns that exploit users’ natural trust in familiar brands. In this case, cybercriminals used a Google Drawings graphic to trick victims into disclosing sensitive personal and financial information. The attack, which initially appears to be an Amazon account verification request, is a prime example of how modern phishing techniques, including URL obfuscation and multi-stage redirection, are designed to bypass traditional security measures and deceive even the most cautious users.

Google Drawings, part of the Google Workspace suite, is a collaborative tool that allows users to create and share diagrams and graphics. Its legitimate use makes it an appealing target for malicious actors looking to hide their attacks in plain sight. When embedded within a phishing email, the Google Drawings graphic may appear entirely harmless, drawing the victim’s attention to what seems like an urgent Amazon account security request. This tactic takes advantage of the user’s familiarity with Google and their sense of urgency regarding account protection, making it difficult for even experienced users to spot the scam before it’s too late.

Targets

Individuals

How they operate

The attack begins with a phishing email that contains a seemingly innocent graphic, often hosted on Google Drawings. Google Drawings, a collaboration tool that allows users to create and share diagrams, is rarely flagged by security software, making it an ideal platform for cybercriminals to host their malicious content. The graphic in question is designed to look like an Amazon account verification notice, complete with branding and messaging intended to spur urgency in the victim. However, this graphic is not merely an image—it contains an embedded hyperlink that is central to the attack.

When the victim clicks on the “Continue Verification” link within the Google Drawings graphic, they are directed to a URL that initially appears to be safe but is actually a shortened link created using a WhatsApp URL shortener, “l.wl.co.” URL shorteners, while useful for condensing lengthy URLs, also provide an opportunity for attackers to obscure the true destination of the link. In this case, the use of a WhatsApp URL shortener provides an added layer of deception, as shortened URLs typically do not trigger the usual security warnings or suspicion that longer, more transparent URLs might.

Once the victim clicks on the shortened link, they are redirected again, this time through a second URL shortener, “qrco[.]de,” which is a service that creates dynamic QR codes. This additional redirection step further obfuscates the destination and is likely designed to bypass security scanners that may flag suspicious links. These multiple layers of redirection serve to confuse both the victim and any security tools that might be monitoring the URL traffic, making it more difficult to identify the phishing attempt in real time.

The victim is ultimately led to a page that appears to be an Amazon login screen, where they are prompted to enter their credentials. However, this page is a counterfeit designed to harvest sensitive information. Once the victim enters their login credentials, the scam progresses to a series of staged “security checkup” pages that ask for additional personal and financial details. These pages mimic legitimate account management forms and ask for sensitive data such as the victim’s full billing address, phone number, and even credit card details.

At each stage, the attacker captures and stores the data entered by the victim. The information is sent to a domain controlled by the attacker, which uses multiple path names to ensure that even if the victim abandons the process midway, they still leak valuable data. The phishing site employs a variety of techniques to convince the victim that they are still interacting with a legitimate Amazon page, including validating password formats and credit card details in a manner that mimics Amazon’s own security processes.

The final step of the scam leads the victim back to the phony Amazon login page, where they are once again prompted to enter their information. After the attacker has successfully gathered the necessary credentials and financial details, the victim may be shown a fake confirmation message, and the website becomes inaccessible from the same IP address, effectively closing the door on any further attempts to track the scam.

This phishing scam highlights how attackers use layered deception and advanced redirection techniques to evade detection by both users and security tools. By leveraging trusted platforms like Google Drawings and URL shorteners, attackers are able to obscure their true intentions and create a seamless experience that mirrors legitimate services. Given the increasing sophistication of such phishing schemes, users must remain vigilant and rely on advanced security solutions that can detect and block these evasive threats in real time.

Reference: 

• Decoding a Google Drawings and WhatsApp open redirection phish