Middle East employees from large firms are the latest target of a long-term phishing scam that uses a short-lived aspect of the Glitch app, a project-management tool, and redirects them to SharePoint phishing pages. The phishing email sent in the scam contains suspicious PDFs linked to the Glitch app that includes obfuscated JavaScript for credentials theft of the targeted employees.
Glitch, a Web-based project-management tool, has a built-in code editor that allows users to run and host software projects from basic websites to complicated applications.
According to researchers, the campaign only targeted Middle East employees as a single campaign from a SharePoint-themed phishing scam series.
The researchers also said that learning how the free version of the Glitch app works is the key to understanding how the entire campaign works.
Glitch allows an app to run for only five minutes, being exposed to the internet, with a three-worded randomised hostname provided by the tool. Because of Glitch’s short-lived feature, threat actors find the tool ideal in hosting malicious content because it helps them not to be detected. Many networks and blocklist corporations also trust the tool that allows them to attach seemingly safe PDFs that contain links to another trusted base domain. The entire process helps threat actors make it past security defences and successfully run their attacks.
Furthermore, threat actors in this phishing campaign also used credentials exfiltration on compromised WordPress sites to make an attack chain that can evade defence tools.
Security experts came across the malicious activity from the regular hunting of malicious documents linked to past campaigns. They initially discovered a PDF file declaring itself an invoice with a URI section linking to another page. Typically, researchers do not consider these findings to be alarming. Yet, what made it suspicious is the email address appended to the URL to be a fragment that usually references an ‘id’ element from an HTML page and can also be engineered in CSS.
The email address is also owned by an employee from a UAE-based company, something that experts are reminded of spear-phishing attacks. So, they hunted for similar documents and were surprised to uncover about 70 of them dating back to July this year. The documents use different URLs that target employees’ email addresses from large corporations in the Middle East.
