Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East.
The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content.
Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.
Exploiting Glitch
According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.
“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.
“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.”
The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools.
A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page.
The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.
