- Fraudsters are increasingly relying on genuine services, like website builders, to host phishing campaigns, researchers have discovered.
- They believe using such legitimate services tends to make these scams appear credible.
- People can still detect these scams by looking for some telltale signs, suggest phishing experts.
Just because a legitimate service asks for your login credentials doesn't mean you aren't being gamed.
According to researchers at Unit 42, the cybersecurity arm of Palo Alto Networks, cybercriminals are increasingly abusing true-blue software-as-a-service (SaaS) platforms, including various website builders and form builders, to host phishing pages. Using these above-board services helps fraudsters bring an air of legitimacy to their scams.
“It’s very clever because they know we can’t [blocklist] the likes of Google and other [tech] giants,” Adrien Gendre, Chief Tech and Product Officer with email security vendor, Vade Secure, told Lifewire over email. “But despite the fact that it is more difficult to detect phishing when a page is hosted on a high-reputation website, it is not impossible.”
Using legitimate services to trick users into handing over their login credentials isn’t new. However, researchers have noticed a massive increase of over 1100% in using this strategy between June 2021 and June 2022. Besides website and form builders, the cyber crooks are exploiting file sharing sites, collaboration platforms, and more.
According to the researchers, the rising popularity of genuine SaaS services among cybercriminals is mostly because pages hosted in these services aren’t usually flagged by various fraud and scam filters, neither in the web browser nor in email clients.
Furthermore, not only are these SaaS platforms easier to use than to create a website from scratch, but they also enable them to quickly switch to a different phishing page should one be taken down by law enforcement agencies.
This abuse of genuine services for phishing doesn’t surprise Jake, a Senior Threat Hunter at a Threat Intelligence company, who specializes in credential phishing, and who doesn’t want to be identified as he investigates active phishing campaigns.
While he agrees that it usually takes a little more effort to detect such abuse, it isn't impossible, adding that these legitimate services are often keener to act on abuse reports, making it much easier to take down malicious sites.
In a discussion with Lifewire over Twitter, Jake said most phishing campaigns, including those hosted on legitimate services, have some obvious tell-tale signs for anyone paying attention.
"These legitimate services often have banners or footers which threat actors can't remove, so sites such as Wix have a banner across the top, Google forms has a footer stating to never enter passwords into forms, etc.," said Jake.
Building on that, Gendre says that while the domain might be trusted, the phishing page will likely have some anomalies in the URL and the content of the page itself.
Jake agrees, adding that, for starters, the page phishing for credentials will still be hosted on the abused website rather than the service whose credentials are being sought. For instance, if you find a password reset page for Gmail hosted on the website of a website builder like Wix, or a form builder like Google Forms, you can rest assured you’ve landed on a phishing page.
Moreover, with a little alertness, these attacks can be nipped in their bid, suggest the researchers. Just like other phishing attacks, this one too begins with a fraudulent email.
"Users should be wary of any suspicious emails that use time-sensitive language to prompt a user to take some sort of urgent action," said the Unit42 researchers.
Gendre believes people's biggest weapon against such attacks is patience, explaining that "people tend to open and respond to emails very quickly. Users should take the time to read and inspect the email to determine whether something is suspicious."
Jake, too, suggests people don't click on links in emails and instead visit the website of the service that has apparently sent the email, either by entering its URL directly or through a search engine.
"If you are able to use a password manager, these products are able to match the target URL with the current page you're using, and if they don't match, it won't enter your password, which should raise alarm bells," said Jake.