US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
Russian ransomware gangs start collaborating with Chinese hackers
Windows 11 issue with Intel audio drivers triggers blue screens
Threat actors offer millions for zero-days, developers talk of exploit-as-a-service
Android malware BrazKing returns as a stealthier banking trojan
US indicts Iranian hackers for Proud Boys voter intimidation emails
Winamp prepares a relaunch, new beta version almost ready
Hackers deploy Linux malware, web skimmer on e-commerce servers
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Phishing actors are now actively abusing the Glitch platform to host short-lived credential-stealing URLs for free while evading detection and takedowns.
The recent campaigns are targeting employees at major corporations who work with the Middle East.
Based on an analysis by the DomainTools research team, this phishing campaign started in July 2021 and is still ongoing.
The actors send emails with PDF document attachments that do not contain any malicious code, so no antivirus alerts are generated.
Instead, these PDFs contain a link that directs the user to a page hosted at Glitch, which would display a landing page.
An example of the URL embedded in these PDF documents is shown below:
DomainTools sourced 70 PDFs of this type and found that they all used a unique email and URL to link to various Glitch-hosted “red.htm” pages.
Glitch is a cloud hosting service that allows people to deploy apps and websites using Node.js, React, and other development platforms.
This platform is enticing for phishing attacks because they offer a free version that lets users create an app/page and keep it live on the web for five minutes. After that, the user has to enable it again manually.
Because Glitch is a generally trustworthy platform, network security tools treat its domains favorably, not serving warnings when visiting the site.
This favorable view by security platforms combined with the short-lived URLs and the fact that threat actors can host them for free makes Glitch an excellent target for abuse by phishing actors.
By digging deeper, DomainTools found a live Glitch site linked to a commercial malware sandbox service containing a screenshot of a Microsoft SharePoint phishing login page.
The PDF document that led there had been submitted to VirusTotal so that researchers could tie the sample to several HTML documents.
After pulling these pages, the researchers found chunks of obfuscated JavaScript used for exfiltrating credentials to an email address after passing them through compromised WordPress sites.
The deobfuscation revealed an Outlook email address that received the stolen credentials, which led to the discovery of a set of additional PDFs created in September 2021.
The threat actors hosted these documents on various services similar to Glitch, such as Heroku, or through content distribution networks like SelCDN.
This means that Glitch was only one of the many channels the phishing actors abused to evade detection and steal credentials.
DomainTools has reached out to Glitch to inform them of their findings but hasn’t received a response yet.
North Korean cyberspies target govt officials with custom malware
RedCurl corporate espionage hackers resume attacks with updated tools
TikTok phishing threatens to delete influencers’ accounts
These are the top-level domains threat actors like the most
Windows 10 App Installer abused in BazarLoader malware attacks
Not a member yet? Register Now
Windows 10 21H2 is released, here are the new features
WordPress sites are being hacked in fake ransomware attacks
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Utah medical center hit by data breach affecting 582k patients

US indicts Iranian hackers for Proud Boys voter intimidation emailsWinamp prepares a…

Windows 10 21H1 now in broad deployment, available to everyone

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

New Dell BIOS updates cause laptops and desktops not to boot

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…

The Week in Ransomware – November 5th 2021 – Placing bounties

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…