Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services to Target Telecom and Financial Sectors

Executive Summary

EclecticIQ analysts identified a phishing campaign in late October 2024 targeting the telecommunications and financial sectors. Attackers leveraged Google Docs to deliver phishing links, redirecting victims to fake login pages hosted on Weebly - a legitimate, user-friendly website builder service. By using Google’s trusted domain for initial delivery, attackers bypassed standard email filters and endpoint protections, leveraging reputable platforms to evade detection and increase user trust. [1], [2]  

Financially motivated threat actors find Weebly attractive due to its ease of use, low-cost hosting, and established reputation. By hosting phishing pages on this platform, attackers avoid the cost and complexity of self-hosted servers and leverage Weebly's infrastructure to evade anti-phishing scanners, as its legitimacy can reduce scrutiny. In early 2024, Unit 42 observed attackers employing similar tactics, leveraging trusted platforms to replicate well-known brands and prolong phishing campaigns across multiple sectors. [3] 

Figure 1 - Graph mapping phishing campaign infrastructure in
EclecticIQ’s threat intelligence platform, Intelligence Center.
(click on image to enlarge).

Key Findings 

• Victims: The campaign primarily targets telecommunications and financial sectors. Analysts identified customized lures, including telecom-specific phishing pages themed for AT&T and financial institution pages targeting US and Canadian users. [4], [5]
• Infrastructure: Attackers abuse legitimate Google Docs servers as the initial phishing delivery vector, embedding malicious links inside Google Doc presentations to redirect victims to Weebly-hosted fake login pages. The threat actors use dynamic DNS for subdomain rotation to keep phishing pages active, making detection and takedown efforts more challenging.
• MFA Bypass Tactics: Attackers use crafted multi factor authentication prompts that mimic legitimate secure access processes commonly seen in telecom services. Attackers design these phishing pages to enhance the appearance of authenticity, creating a false sense of security for victims. By replicating real MFA workflows, such as access code entry prompts, these phishing pages deceive users into entering sensitive information under the impression that they are engaging with genuine security measures.  
• Tracking Tools: Attackers incorporate legitimate tracking tools like Sentry.io and Datadog into their phishing kits to monitor key metrics on their phishing pages. These tools capture details such as the victim's timestamp of interaction, IP address, and inferred location based on IP data. By analyzing this information, attackers gain insights into the effectiveness of specific lures and refine their campaigns, tailoring future phishing attempts for higher success rates. 

Figure 2 – US-based telecommunications-institution
themed phishing login page. 

Figure 3 – US-based financial institution
themed phishing login page. 

Tailored Phishing Campaigns Exploit Trusted Platforms to Target Multiple Industries 

In this campaign, EclecticIQ analysts observed Weeblysite domains such as att-mail-102779[.]weeblysite[.]com and umpquawoers-accessmail[.]weebly[.]com replicating industry-specific login pages. Attackers can bypass traditional email filters and endpoint protections by embedding malicious links within Google Docs, leveraging the inherent trust associated with widely used platforms like this. 

To enhance engagement, attackers customize phishing pages to mimic the login screens of targeted brands in the finance and telecommunications sectors across EMEA and AMER regions. For example, the bank-themed phishing page (Figure 4) targets financial users, while the Telstra webmail login page (Figure 5) is tailored to lure telecommunications sector employees. This industry-specific approach increases the credibility of phishing lures, as victims are more likely to trust and interact with interfaces that align with their work environment. This tactic demonstrates the threat actors' adaptability in tailoring phishing kits for multiple sectors. [5] 

Figure 4 – Phishing page mimicking Australian bank login.

Figure 5 – Phishing page imitating telecom webmail login.

The campaign also includes phishing lures likely targeting security professionals through PICUS-themed pages hosted on Google Docs. PICUS is a cybersecurity training and simulation tool often used to help organizations enhance their defensive capabilities. The attackers mimic legitimate security training content associated with PICUS, using titles like “How Breach & Attack Simulation Helps You to Operationalize MITRE ATT&CK.” By replicating branding tied to well-known security tools, the attackers aim to gain the trust of IT and cybersecurity professionals, potentially leading to highly privileged access through business email compromise. 

The use of dynamic DNS infrastructure in this campaign enables attackers to rotate URLs frequently, extending the campaign's lifespan and evading blacklists. This flexibility, combined with the tailored phishing interfaces, suggests a well-resourced operation capable of deploying targeted attacks across multiple industries simultaneously. 

Customized Phishing Pages for Brand-Specific Targeting 

This campaign demonstrates a high level of customization, with phishing pages tailored to mimic the login portals of specific brands such as AT&T and a US-based financial institution, as shown in Figures 2 and 3. By closely replicating the appearance of these brands, the threat actors increase their chances of success, as these targeted designs enhance user trust and engagement. Such brand-specific lures highlight the attackers’ intent to maximize the effectiveness of their phishing attempts across different sectors, from telecommunications to finance.  

Fake MFA Prompts Increase Phishing Success by Mimicking Genuine Security Step 

Attackers use phishing tactics that closely replicate legitimate MFA prompts, designed to appear convincing and familiar to users. For example, the secured1st-accesscode[.]weebly[.]com page prompts victims to enter a "secure access code," mirroring genuine MFA workflows to create a false sense of security. By carefully replicating the visual layout and progression of authentic MFA steps, attackers increase the likelihood that users will comply and provide sensitive information. [6] 

This technique underscores the importance of advanced MFA defenses, such as adaptive authentication and randomized challenge steps, which can detect and flag atypical login behaviors. Screenshots of the secured1st-accesscode[.]weebly[.]com page illustrate the realistic design of these phishing prompts, closely mirroring genuine MFA interactions.  

Figure 6 – MFA phishing prompt on secured1st-accesscode[.]weebly[.]com.

Legitimate Tracking Tools Leveraged for Phishing Success Analysis 

Analysts observed legitimate tracking tools, such as Snowplow Analytics and Google Analytics, embedded within the phishing pages to monitor victim engagement. These scripts, found in pages targeting AT&T and a Canadian financial institution, highlight their role in tracking victim behavior.  

Snowplow allows for granular interaction tracking, capturing user navigation, clickstream data, and engagement metrics. Google Analytics gathers visitor demographics and engagement metrics, with AJAX calls supporting real-time data updates to avoid alerting users. Together, these tools allow attackers to collect interaction data, including click timestamps, user navigation, and geolocation data, helping them refine their phishing techniques over time. 

Attackers Target Telecom Accounts with Phishing and SIM Swapping to Bypass MFA 

Attackers also leveraged SIM swapping as a secondary method to gain unauthorized access to user accounts, particularly targeting telecom services like AT&T. Threat actors are focused on telecom-related login pages, such as hxxps://att-mail-102779[.]weeblysite[.]com, which collect login credentials from telecom users. By obtaining these credentials, attackers can access telecom dashboards and user accounts, allowing them to initiate SIM swaps. 

Attackers use SIM swapping, a technique to convince the victim’s mobile carrier to transfer the victim's phone number to a SIM card under the attacker’s control. With access to telecom account credentials, attackers can execute this swap, intercepting SMS-based multi-factor authentication (MFA) codes and other SMS communications tied to the victim's accounts. For example, if a target realizes they have been phished and attempts to reset their password, an attacker with control over the victim’s SIM card can intercept password reset messages and additional MFA prompts, maintaining access to compromised accounts and enabling further account breaches. [7] 

The combination of telecom-specific phishing and SIM swapping shows a methodical approach, with attackers exploiting access to telecom accounts to bypass traditional SMS-based MFA protections and recovery processes. This highlights the need for enhanced security measures, such as app-based or hardware-based MFA, which do not rely on SMS, thereby mitigating the risks associated with SIM swapping.  

 
Technical Analysis: Phishing Kits and Domain Setup
The phishing kits in this campaign use HTML forms that closely mimic legitimate login pages for targeted brands, such as AT&T (on att-mail-102779[.]weeblysite[.]com) and (on umpquawoers-accessmail[.]weebly[.]com). These forms capture credentials and other sensitive information through POST requests (see Figure 7). 

Figure 7 – Burp Suite HTTP POST interception on phishing page.

The threat actors rely on Weebly’s quick deployment features, with dynamic DNS allowing for subdomain rotation to evade detection. Historical data from URLscan.io shows repeated abuse of Google Docs and Weebly in similar campaigns, suggesting these kits are reused due to their adaptability and efficiency.  

PICUS Analysis 

Rationale Behind the Use of PICUS-Themed Lures 

The campaign’s use of PICUS-themed phishing lures is strategic, targeting professionals familiar with security training tools. The phishing pages resemble genuine PICUS content, with titles like “How Breach & Attack Simulation Helps You to Operationalize MITRE ATT&CK,” appealing directly to IT and cybersecurity professionals. These lures incorporate tracking features, such as IP address and geolocation tracking, which help attackers identify the regions where their phishing campaigns are most effective. Additionally, session duration and click tracking allow attackers to monitor user engagement, confirming when victims have interacted with credential entry fields. This insight enables attackers to refine their approach, making each subsequent phishing attempt more tailored and convincing. Ultimately, victims are redirected to credential-harvesting sites, where sensitive information is captured for unauthorized access. 

Figure 8 – PICUS-themed phishing lure on Google Docs.

Google Docs as a Delivery Platform for Phishing Campaigns
Using Google Docs provides several advantages for phishing actors: 

• Evading Detection: Google Docs-hosted files are less likely to be flagged as malicious from anti phishing tools compared to traditional phishing methods.
• Building Trust: By using Google Docs, attackers create a sense of legitimacy, increasing user interaction and success rate of the phishing attack. [1]

Broadening Attack Vectors: Telecom and Beyond 

The campaign initially focused on telecommunications and financial institutions in the U.S. and Europe, deploying targeted phishing pages for these sectors. The consistency in language and design across these pages suggests a flexible infrastructure that enables the threat actor to pivot to other sectors using similar tactics. This deliberate shift toward leveraging cloud-based collaboration tools as entry points makes detection more challenging, allowing attackers to broaden their scope beyond initial targets. 

MITRE ATT&CK Mapping 

This campaign leverages several MITRE ATT&CK techniques: 

Figure 9 – MITRE ATT&CK Analysis and TTP Mapping of the Phishing Campaign
in EclecticIQ’s threat intelligence platform (TIP).

IP and Domain Pivoting Analysis
The infrastructure supporting this campaign reveals a coordinated use of shared IPs and domains to distribute phishing content. Pivot analysis from URLscan.io highlights clusters of domains linked to this infrastructure, suggesting a larger, coordinated network of Weebly-hosted phishing sites. [8] 

Figure 10 – Query results from EclecticIQ TIP showing phishing-related Weebly domains associated with the IP address 74[.]115[.]51[.]9.

IP Address Proximity and Infrastructure Reuse
EclecticIQ analysts found that multiple phishing domains associated with this campaign, including those targeting AT&T, resolve to the same IP address (74[.]115[.]51[.]9). While this IP is part of Weebly's infrastructure, the fact that it exclusively hosts phishing domains suggests that it may be an abused segment of Weebly’s hosting services. This setup enables threat actors to manage and deploy multiple phishing pages with ease, benefiting from Weebly's trusted reputation while centralizing their infrastructure. This configuration helps attackers evade detection by hiding phishing content within a legitimate platform’s IP range. 

Mitigation Strategies 

• Email Filtering for Cloud-Shared Documents: Deploy advanced email filtering solutions that analyze the content of cloud-shared documents, like Google Docs, for suspicious links and indicators of phishing. Configure the filters to detect patterns such as unusual document sharing from unknown senders or requests to access sensitive information via embedded links. 

• Proactive DNS Monitoring: Implement a DNS monitoring system that watches for the registration of new domains related to Weebly and Google Docs. Use keyword-based alerts (e.g., "login," "secure access") and threat intelligence feeds to flag newly registered domains or subdomains that could be impersonating legitimate services. [8] 

• Mandatory Multi-Factor Authentication (MFA) and Credential Hygiene: Enforce MFA across all user accounts and mandate strong, regularly updated passwords. Educate users on avoiding password reuse and recognizing phishing attempts, especially on platforms commonly targeted by attackers. 
• Detection of Phishing Kit Artifacts: Configure detection systems to identify known phishing kit artifacts, such as embedded tracking tools (e.g., Sentry.io, Datadog) within login pages. Use these indicators to flag potentially malicious pages early in their lifecycle, as attackers often leverage these tools to monitor victim engagement and refine their phishing strategies.  

Indicators of Compromise (IOCs) 

Primary Phishing URLs: 

• hxxps://att-mail-102779[.]weeblysite[.]com
• hxxps://securedprofile-infosuckkk[.]weebly[.]com
• hxxps://umpquawoers-accessmail[.]weebly[.]com 

Google Docs-Hosted URLs: 

• hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vSMcWcXkT6Sj1zUSKwPxxorafu58YpjAd1mpi1oB1mbUpiMiQTvJDbD3zULJTTWvtpjXOvamDEBY5f3/pub?usp=embed_facebook
• hxxps://docs[.]google[.]com/presentation/d/e/2PACX-1vRdrlMXfpcvp7a-cdFD6fU4qN6V6uo0JuHb8cW8VM5hJQ4lViEIN3_Q4CdtJGhfVYYMAMVz_MjHA8to/pub?usp=embed_facebook

Other Notable Phishing Pages: 

• hxxps://currently-att-8-2-2024[.]weeblysite[.]com
• hxxps://novedadscotiab03[.]weebly[.]com
• hxxps://telstra-webmail-login[.]weeblysite[.]com
• hxxp://myredapplebank[.]weebly[.]com
• hxxps://currentilydbsbatusfitaluabutes[.]weebly[.]com
• hxxps://mwebservlce[.]weebly[.]com
• hxxps://metamask-us-extension[.]weebly[.]com
• hxxps://update-baca-bank-aqmakaeyaa[.]weebly[.]com
• hxxps://yahoopaymentsecurity[.]weebly[.]com
• hxxps://secureaunthenticatorrrrr[.]weebly[.]com
• hxxps://currentlyattyahoo850[.]weebly[.]com
• hxxps://attmailteam87iu[.]weebly[.]com
• hxxps://aolservlogsni[.]weebly[.]com
• hxxps://securebanklogin[.]weebly[.]com
• hxxps://signup-robinhood[.]weebly[.]com 

Tracking Tools: 
Use of Sentry.io and datadog for user tracking across phishing sites. 

Structured Data

Find this and other research in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.

Please refer to our support page for guidance on how to access the feeds.

EclecticIQ Intelligence & Research Team

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

References

[1] P. Passeri, “The Huge Threat Posed by Increased Targeting of Cloud Services,” Infosecurity Magazine. Accessed: Nov. 12, 2024. [Online]. Available: https://www.infosecurity-magazine.com/blogs/threat-targeting-cloud-services/  

[2] A. Saxena, “100+ Phishing Attack Statistics You Should Know in 2024,” Sprinto. Accessed: Nov. 12, 2024. [Online]. Available: https://sprinto.com/blog/phishing-statistics/ 

[3] L. Hu, “Legitimate SaaS Platforms Being Used to Host Phishing Attacks,” Unit 42. Accessed: Nov. 12, 2024. [Online]. Available: https://unit42.paloaltonetworks.com/platform-abuse-phishing/ 

[4] “The Latest Phishing Statistics (updated June 2024) | AAG IT Support.” Accessed: Nov. 12, 2024. [Online]. Available: https://aag-it.com/the-latest-phishing-statistics/ 

[5] “2024 State of the Phish Report: Phishing Statistics & Trends | Proofpoint US,” Proofpoint. Accessed: Nov. 12, 2024. [Online]. Available: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish  

[6] B. A, “What Is Phishing-as-a-Service (PhaaS)?,” ID Agent. Accessed: Nov. 12, 2024. [Online]. Available: https://www.idagent.com/blog/phishing-as-a-service-phaas/  

[7] “What is a SIM Swapping Scam? Protect Your Device Against SIM Hackers,” @verizon. Accessed: Nov. 12, 2024. [Online]. Available: https://www.verizon.com/about/account-security/sim-swapping  

[8] “Massive phishing campaign uses 6,000 sites to impersonate 100 brands,” BleepingComputer. Accessed: Nov. 12, 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-uses-6-000-sites-to-impersonate-100-brands/