Spear-phishing attacks abuse the Glitch platform to steal credentials

Glitch service abused in attacks that target Middle East workers from major corporations

The phishing campaign targets employees of Middle Eastern companies.

Actors release campaigns aiming to gather information about the employees of Middle-East-based corporations. Scammers use particular ephemeral aspects of the management tool to expose users to URLs with credential-stealing functions.^[1] Attackers managed to host short-lived links and evade detections, so takedowns of the suspicious sites can be avoided.^[2] The campaign started back in July 2021 and is, unfortunately, still active.

The targets of the spearphishing campaign are employees at major corporations with what appear to be an emphasis on employees operating in the Middle East. Upon further pivoting this looks to be just a single campaign in a long line of similar, SharePoint themed phishing attempts.

Researchers^[3] reported that these spear-phishing campaigns included the SharePoint phishing pages and discovered the suspicious PDFs. These files were not having malicious content but had links to Glitch app hosting pages with obfuscated JavaScript. These pages were used to steal credentials.^[4]

Glitch is a web-based project-management tool that has a built-in code editor that runs and hosts software projects. Various companies use the service for simple websites and large applications. The particular campaign aimed to access the credentials of employees from the Middle East.

PDF files helping to evade detection

Threat actors managed to send emails with file attachments, including these PDFs that were not having any malicious code, so antivirus could not alert the user about anything possibly dangerous. The file contained a link redirecting to the page hosted at Glitch. Once clicked, it would open the landing page.

The DomainTols research sourced at least 70 separate PDFs with the links. All of them used the unique email and the URL to link various pages hosted on Glitch. The short-lived nature of these pages created an issue for researchers because they need living pages serving the payload of the campaign to analyze it further.

The tool for URL scanning was used to search through the list of scanned sites over the last month. Many HTML documents were found tied to the previous PDFs on the VirusTotal platform. Such documents were detected dating back to July 30, 2021. Emails included individuals working at large corporations.

Generally trusted platforms abused

Glitch is the cloud hosting service that allows people to use Node.js, react, other development platforms for application and website deployment. The platform is trustworthy, and network security tools or antivirus apps do not find the domain suspicious. This is why warnings were not delivered when the site got visited.

The service allows the application to operate for five minutes while exposed to the internet with the Glitch-provided hostname using three random words. After that, the user needs to enable the app or website again manually. The trustworthiness of the platform and short-lived URLs allowed threat actors to successfully run these phishing campaigns^[5] abusing the Glitch platform.

It is discovered that stolen credentials were sent to the Outlook email address. This discovery helped to find a set of PDFs created in September 2021. Actors hosted those documents on different services besides Glitch. Heroku was one of them. Also, attackers used the content distribution network SelCDN. Glitch was the only channel abused to evade detection and gather credentials. The developers have not responded to these findings, but the DomainTools team has reached out to the company.