Blog

Exploiting the Cloud: How SMS Scammers are using Amazon, Google and IBM Cloud Services to Steal Customer Data

A number of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage, have recently come to Enea’s attention. Threat actors are using these storage platforms to redirect users to malicious websites, with the ultimate objective of stealing their information, and it all starts with the humble SMS.  

The attackers coordinating these campaigns appear to be prioritizing two basic objectives:  

  • To ensure scam text messages are delivered to handsets without detection by network firewalls 
  • To convince end users to perceive delivered messages or links as trustworthy.  

This article will explore these exploits in detail, revealing the true nature and extent of the criminal fraud taking place.   

Exploitation of Google Cloud Storage for SMS scams

Cloud Storage enables organizations or Individuals to store, access, and manage a range of files. It can also be used to host static websites, by storing the website’s HTML, CSS, JavaScript, and other assets in a storage bucket and configuring the cloud storage service to present these files as a website. This approach is suitable for static websites that don’t require server-side processing or dynamic content generation. 

Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .html files) containing embedded spam URLs in their source code. The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket. This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user’s awareness. This process is illustrated in the diagram below. 

 

Anatomy of the scam 

The URL “storage.googleapis.com” is the domain used by Google Cloud Storage 

Attackers are using a URL constructed with this domain to link to a static webpage being hosted in a bucket on the Google Cloud Storage platform. The spam website is then loaded from that static webpage using the “HTML meta refresh” method. 

HTML meta refresh is a technique used in web development to automatically refresh or redirect a web page after a certain time period: 

The following are examples of spam messages linking to Google Cloud Storage that we have been seeing:  

Building the URL

Looking closely at one of the URLs, we can see how it is structured:

scam link break down

 

1.1 A bucket – “dfa-b has been created on storage.googleapis.com, where the page dfmc.html is being hosted.  

 

1.2 The dfmc.html page is configured with the ability to jump to other URLs through Meta Refresh; 

<html><head><meta charset=”utf-8″> <meta name=”viewport” content=”width=device-width, initial-scale=1″> <title></title> <meta http-equiv=”refresh” content=”0; URL=http://r.everydaywinner.com/?a=2049&c=234&s1=g8ys&s2=&email=” /> </head><body></body></html> 

 

The highlighted tag in bold is going to instruct the browser to refresh the page and redirect to the specified URL in 0 seconds – that means without our consent. Once we’ve been redirected, we end up on one of the following pages: 

scam website landing page

Scam website page 2

scam website page 3

 

This is a fraudulent website pretending to offer gift cards to trick users into revealing personal and financial information.  

These SMS scammers are not uniquely using Google Cloud Storage. We have also observed SMS spam messages containing links to static websites hosted on Amazon Web Services (AWS), IBM cloud and other storage platforms, with similar techniques being used to redirect the user to a scam website.  

Amazon Web Services

SMS message with scam amazon link

Scam SMS containing a link to a static website hosted on Amazon AWS 

 

IBM Cloud

IBM cloud storage scam SMS message

Scam SMS containing a link to a static website hosted on IBM Cloud

 

Blackblaze B2 Cloud

Blackblaze B2 storage scam SMS message

Scam SMS containing a link to a static website hosted on Blackblaze B2 Cloud

 

Detecting and mitigating these SMS scams

Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning. Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies. Additional considerations of various factors and behaviors are necessary to effectively address this challenge. Based on past behavioral observations, and the nature of the use cases of those domains, the likelihood of URLs constructed with those domains being used in any aggressive SMS traffic for genuine purposes is minimal. 

We know how URLs linking to storage platforms are used in normal circumstances. It will often be an individual sharing a specific link with another individual or small group of individuals – friends sharing photos, a colleague sharing a file, etc. Therefore, we know that URLs of this kind being used for genuine purposes are not going to be associated with the aggressive SMS traffic linked to spam campaigns. 

Enea’s detection of suspicious activity related to URLs is facilitated through the analysis of traffic behavior, in addition to proven URL inspection methods. This analysis involves reviewing the origins of the traffic as well as the specific destinations it targets. Additionally, consideration is given to the nature of the content being accessed and the underlying intentions of the webpages in question. 

To effectively manage and respond to such campaigns, Enea’s threat intelligence team employs a variety of traps designed to capture suspicious traffic. These traps leverage metrics such as traffic volume, content and behavioral patterns to identify and address potentially malicious activity. By employing these techniques, Enea proactively safeguards the network’s mobile subscribers against malicious scam campaigns like the one described in this blog post. Discover more about how Enea’s messaging security solutions enable mobile operators, aggregators, and CPaaS providers to prevent spam and other messaging threats from impacting their customers. Visit our messaging security page here 

 

 

Related insights

Watch Webinar: Boosting A2P SMS Revenues – Using AI to Uncover Hidden Gems

Read more

Tags: A2P Messaging, A2P Revenues

Woman looking at her phone on public transport

Apple Announces Support for RCS. What Happens Next?

Read more

Tags: RCS

Mobile World live webinar: Diary of a CISO

Watch Webinar Recording: Diary of a CISO – Building a Resilient Telecom Organization

Read more

Tags: MNO, Mobile Security

Storm-0539 Cybercrime Gang: Microsoft Alerts Companies of Gift Card Fraud From Moroccan Hackers

Read more

Tags: SMS, SMS scam

Infosecurity Magazine logo

Cyber-criminals Exploit Cloud Storage for SMS Phishing Scams

Read more

Tags: SMS scam