Cybercriminals like to subvert legitimate online services like Google Docs and Dropbox to carry out their malicious activities. The free website hosting company Wix is the latest addition to the list of services they’ve abused.
Researchers from security company Cyren found that scammers were creating phishing sites designed to harvest Office 365 login credentials via Wix, which offers a simple click-and-drag editor for building web pages. As typically happens with free services, the criminals are taking advantage of these tools to carry out their operations.
The phishing site looks like a new browser window open to an Office 365 login page. In fact, it’s a screenshot of an Office 365 login page with editable fields overlaid on the image. Users would think the site is legitimate and enter the login credentials, except the information is entered into the fields on the overlay and not the actual Office 365 page.
On the desktop, the overlay is fine, but the fact that fields are separate from the image is much more obvious on the mobile device, Cyren said.
The criminals are also thinking of ways to stay under Wix’s radar. For example, there’s no text on the page—it’s all one image—and the password field is misspelled as “passvvord.” The attackers may have made these decisions on the assumption that Wix has an automated scanning process that checks the site content to flag potentially bad sites.
The attackers may have designed the pages to make the user think something had opened a new browser window, said Cyren researcher Avi Turiel. It could also be a mark of laziness, with the attacker taking a screenshot of the original login page and not bothering to edit the image. “Maybe it’s a trial to see if it works, so less effort was put into it,” Turiel said.
Criminals like to host malware on cloud storage services or build their attack infrastructure with legitimate providers to bypass common security defenses. Users—even those who’ve been trained to scrutinize links for potential spam or phishing attacks—don’t think twice about clicking on links to popular domains and services because they’re conditioned to working with those tools. Organizations also can’t block outright popular domains and service providers that are widely adopted. In some cases, web security products may not even scan the URLs because the products are considered trusted.
It also helps that these services are free. Attackers get the benefit of a valid domain without having to spend any money.
Cyren didn’t know how the users are sent to the Wix pages. A browser redirect or a social engineering campaign could be navigating users to the site. The malicious pages have been reported to Wix, but administrators have to stop thinking of certain sites as trusted. Even the most benign site can be used maliciously.