New Phishing Scam Exploits Google Drawings and WhatsApp Links

Cybersecurity experts have uncovered a new phishing campaign that cleverly utilizes Google Drawings and shortened links generated through WhatsApp to evade detection and deceive users into clicking on fraudulent links designed to steal sensitive information.

According to the report, the attackers have carefully chosen widely trusted platforms like Google and WhatsApp to host and deliver their malicious content. They’ve even crafted a fake Amazon login page to collect victims’ personal information.

This method exemplifies a “Living Off Trusted Sites” (LoTS) threat, where cybercriminals exploit legitimate, well-known websites to make their attacks seem credible and avoid being flagged by security systems.

The attack typically begins with a phishing email that directs the recipient to what appears to be an Amazon account verification link. However, the link leads to a graphic hosted on Google Drawings. This tactic helps the attackers bypass security filters, as Google Drawings is a legitimate service and unlikely to raise suspicion.

Leveraging legitimate services offers multiple advantages to the attackers. Not only is it a cost-effective approach, but it also provides a stealthy way to operate within networks, as such trusted services are rarely blocked by security tools or firewalls.

Researcher points out that Google Drawings is particularly useful for the attackers because it allows them to embed links within graphics. These links can easily go unnoticed by users, especially when the email creates a sense of urgency, such as warning of a potential issue with their Amazon account.

Once users click on the deceptive verification link, they are redirected to a fake Amazon login page. The attackers add another layer of deception by using two different URL shorteners—first through WhatsApp (“l.wl[.]co”) and then through qrco[.]de—to make the fake URL less recognizable and to trick security scanners.

The counterfeit page is designed to capture credentials, personal information, and credit card details. After the data is stolen, victims are redirected to the actual Amazon login page. To further cover their tracks, the attackers block access to the fake page from the same IP address once the credentials have been submitted.

This discovery comes at a time when researchers have identified a vulnerability in Microsoft 365’s anti-phishing measures, which could make users even more susceptible to phishing attacks. The flaw involves manipulating CSS (Cascading Style Sheets) to hide the “First Contact Safety Tip,” a feature that warns users when they receive emails from unfamiliar sources. Austrian cybersecurity firm revealed that this loophole could be exploited to hide the safety tip and even spoof icons in Microsoft Outlook, making phishing emails appear more legitimate.

Microsoft has acknowledged the issue but has not yet released a fix, leaving users at increased risk. The combination of these techniques—exploiting trusted sites like Google and WhatsApp, and manipulating Microsoft 365’s defenses—demonstrates the sophisticated strategies attackers are employing to carry out successful phishing campaigns.

To avoid falling victim to this phishing scam, it’s important to be vigilant with emails that prompt you to click on links, especially those claiming urgent actions related to account security. Verify the legitimacy of the sender and the message content by directly visiting the official website or contacting customer support. Use a reliable email security solution that can flag suspicious content and links.