A new phishing campaign has been uncovered utilising Google Drawings and shortened links which are generated by WhatsApp, designed to lure victims into clicking malicious links and enter sensitive information.

Researchers at Menlo Security have identified a new campaign in which phishing emails contain drawings which look like common graphics associated with legitimate companies such as Amazon.

Within the email, links are obscured by a WhatsApp URL link shortener which bypasses security protocols, and additionally, the links are contained within the graphic.

Google Workspace is a collaborative and productivity platform, expanding on the popular G-Suite package with additional capabilities, extra storage space and enhanced security features. Workspace is commonly used by businesses due its collaborative nature and accessibility across devices.

One campaign tracked by Menlo Security is an Amazon-themed email, in which a victim receives an email pertaining to their Amazon account, instilling a sense of urgency. The “link” to confirm their email is hosted on Google Drawings, an application for users to create posters and graphics included in the Google Docs Editors suite and is obscured via a link shortener.

Link shorteners have become increasingly popular in recent months to better communicate a lengthy link and make it more accessible, but they do hide a malicious site behind the obscure link.

This WhatsApp shortened link allows the threat actors to harvest credentials which are entered into this “Amazon” log in page, and further allows the actors to harvest further information throughout the victims Amazon account, including security, billing and payment information.

Once this is complete and the credentials have been verified, the malicious site is no longer available to access via the victims IP address - another common tactic used by threat actors.

As with all phishing scenarios, employee training and awareness are integral to spotting campaigns, especially for well-designed campaigns mimicking companies which are seen or used every day. We can offer our Security Awareness Training to staff to help them spot illegitimate emails/texts.

Threat actors commonly impersonate companies or brands which are widely used to leverage the familiarity with the emails, in the hope that victims will click a link “out of habit” or to protect an account which they use regularly.

Spreading awareness of new or pervasive campaigns can reduce the effectiveness of phishing campaigns.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).