Blog Manoj Kumar
A number of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage, have recently come to Enea’s attention. Threat actors are using these storage platforms to redirect users to malicious websites, with the ultimate objective of stealing their information, and it all starts with the humble SMS.
The attackers coordinating these campaigns appear to be prioritizing two basic objectives:
- To ensure scam text messages are delivered to handsets without detection by network firewalls
- To convince end users to perceive delivered messages or links as trustworthy.
This article will explore these exploits in detail, revealing the true nature and extent of the criminal fraud taking place.
Exploitation of Google Cloud Storage for SMS scams
Cloud Storage enables organizations or Individuals to store, access, and manage a range of files. It can also be used to host static websites, by storing the website’s HTML, CSS, JavaScript, and other assets in a storage bucket and configuring the cloud storage service to present these files as a website. This approach is suitable for static websites that don’t require server-side processing or dynamic content generation.
Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .html files) containing embedded spam URLs in their source code. The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket. This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user’s awareness. This process is illustrated in the diagram below.
Anatomy of the scam
The URL “storage.googleapis.com” is the domain used by Google Cloud Storage.
Attackers are using a URL constructed with this domain to link to a static webpage being hosted in a bucket on the Google Cloud Storage platform. The spam website is then loaded from that static webpage using the “HTML meta refresh” method.
HTML meta refresh is a technique used in web development to automatically refresh or redirect a web page after a certain time period:
The following are examples of spam messages linking to Google Cloud Storage that we have been seeing:
Building the URL
Looking closely at one of the URLs, we can see how it is structured:
1.1 A bucket – “dfa-b” – has been created on storage.googleapis.com, where the page dfmc.html is being hosted.
1.2 The dfmc.html page is configured with the ability to jump to other URLs through Meta Refresh;
<html><head><meta charset=”utf-8″> <meta name=”viewport” content=”width=device-width, initial-scale=1″> <title></title> <meta http-equiv=”refresh” content=”0; URL=http://r.everydaywinner.com/?a=2049&c=234&s1=g8ys&s2=&email=” /> </head><body></body></html>
The highlighted tag in bold is going to instruct the browser to refresh the page and redirect to the specified URL in 0 seconds – that means without our consent. Once we’ve been redirected, we end up on one of the following pages:
This is a fraudulent website pretending to offer gift cards to trick users into revealing personal and financial information.
These SMS scammers are not uniquely using Google Cloud Storage. We have also observed SMS spam messages containing links to static websites hosted on Amazon Web Services (AWS), IBM cloud and other storage platforms, with similar techniques being used to redirect the user to a scam website.
Amazon Web Services
IBM Cloud
Blackblaze B2 Cloud
Detecting and mitigating these SMS scams
Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning. Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies. Additional considerations of various factors and behaviors are necessary to effectively address this challenge. Based on past behavioral observations, and the nature of the use cases of those domains, the likelihood of URLs constructed with those domains being used in any aggressive SMS traffic for genuine purposes is minimal.
We know how URLs linking to storage platforms are used in normal circumstances. It will often be an individual sharing a specific link with another individual or small group of individuals – friends sharing photos, a colleague sharing a file, etc. Therefore, we know that URLs of this kind being used for genuine purposes are not going to be associated with the aggressive SMS traffic linked to spam campaigns.
Enea’s detection of suspicious activity related to URLs is facilitated through the analysis of traffic behavior, in addition to proven URL inspection methods. This analysis involves reviewing the origins of the traffic as well as the specific destinations it targets. Additionally, consideration is given to the nature of the content being accessed and the underlying intentions of the webpages in question.
To effectively manage and respond to such campaigns, Enea’s threat intelligence team employs a variety of traps designed to capture suspicious traffic. These traps leverage metrics such as traffic volume, content and behavioral patterns to identify and address potentially malicious activity. By employing these techniques, Enea proactively safeguards the network’s mobile subscribers against malicious scam campaigns like the one described in this blog post. Discover more about how Enea’s messaging security solutions enable mobile operators, aggregators, and CPaaS providers to prevent spam and other messaging threats from impacting their customers. Visit our messaging security page here.
