More and more criminals are using legitimate websites to obfuscate malicious payloads

(Image credit: Shutterstock / Sashkin)

Hackers are increasingly using legitimate websites to deliver malicious payloads to unsuspecting victims, researchers have revealed.

A report by cybersecurity experts Egress claims some of the world’s most popular websites are being abused to deliver malware, thus effectivelly bypassing standard link checks performed by antivirus and endpoint security solutions.

The paper, based on data taken from Egress’ integrated cloud email security platform, Egress Defend, says YouTube, Amazon AWS, Google Docs, Firebase Storage, and DocuSign are among the top 10 most frequently used websites for this purpose. Furthermore, there has been a 21% increase in the use of this method in Q1 2023, compared to Q4 2022.

Enhancing defenses

“The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress. “Every attack we analyzed had bypassed other forms of anti-phishing detection, including secure email gateways (SEGs).”

YouTube has long been used to deploy malware, with hackers creating videos demonstrating how a certain crack, or key generator, work, and then provide the download link in the description (or in the video itself). The program being demonstrated is actually malware, and people who download it often end up losing either their data, or their money or cryptocurrencies.

Google Docs was also observed being abused to deliver malware. Threat actors would create a Docs file with a malicious link inside, and then use the Share option to deliver the document to the victims. The link to the file is then shared via email, and given that it’s coming through Google’s domain, email security solutions usually allow it through to the inbox.

To protect against such attacks, the report argues, businesses need to adapt their defenses. Behavior-based email security needs to be prioritized, which also means deploying AI to mitigate the increase in threats evading signature-based and reputation-based perimeter security. Furthermore, businesses should deploy natural language processing and natural language understanding to defend themselves from sophisticated attacks, the report concludes. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.