The Blogpost Based Phishing Attacks

Recently, the increase in Blogspot-based phishing sites has drawn attention. Threat actors are taking advantage of Blogspot’s free and seemingly reliable infrastructure to target users. Since Blogspot is a service owned by Google, pages hosted on this platform are generally perceived as trustworthy, making it easier for scammers.

The first examples of blogspot phishing pages emerged in 2002 and have since been increasingly utilized by cyber threat actors. This method has gained popularity among fraudsters, primarily due to its low cost and ease of implementation. Today, blog-based phishing attacks are widely used to steal sensitive user data, often enhanced with sophisticated social engineering techniques.

Is Blogspot the New Playground for Threat Actors?

As digital threats become more sophisticated every day, cyber criminals are turning to platforms where they can gain the appearance of trustworthiness. The recent rise in Blogspot-based phishing sites is one of the most striking examples of this trend. The perception of trustworthiness provided by Blogspot, which is owned by Google, provides a great advantage for threat actors.

How Do Blogspot Based Phishing Attacks Work

1. Trapping Users with Fake Websites

Attackers exploit Blogspot’s ease of use to create fake banking, e-commerce, and social media login pages. These fake sites often lure users with campaign promises or free money offers, tricking them into unknowingly handing over their credentials to fraudsters. Especially URLs such as “account-verification.blogspot.com” may not catch the user’s attention and give the impression of a legitimate page.

The messages in the image below, which promise financial gain and attempt to collect personal information, are a classic example of phishing. In such attacks, fraudsters impersonate trusted individuals and organizations to deceive users.

Additionally, attackers enhance the credibility of their fraudulent schemes by incorporating fake comments designed to persuade potential victims. These fabricated reviews and endorsements create a false sense of legitimacy, increasing the likelihood that users will fall for the deception.

Fraudsters frequently exploit the names of well-known figures, including business leaders such as Elon Musk, Mark Zuckerberg, and Jeff Bezos, as well as famous musicians like Shakira and Snoop Dogg, to enhance the credibility of their phishing attempts and deceive users into providing personal information.

2. 302 Redirect Technique to Evade Tracking

Such fraudulent campaigns typically involve multiple 302 redirects, guiding users to the final page controlled by the scammers. This technique helps attackers evade detection by security systems and keeps the true malicious intent hidden until the last step.

The reasons of phishing sites often use multiple redirect:

• Tracking Evasion: Multiple redirects make it difficult for security researchers and automated tools to trace their activities, helping scammers conceal the final malicious page.
• Legitimacy Illusion: By initially directing users to a trustworthy-looking page, scammers create the illusion of authenticity before transitioning them to a fraudulent site.
• Blacklist Avoidance: Frequently changing URLs and domains through redirects helps phishing sites avoid detection and blacklisting by security systems and browsers.
• Dynamic Content Delivery: Redirects allow scammers to tailor fake pages based on the user’s location, device, or browser, making the attack more convincing and personalized.
• Security Control Bypass: Some security solutions only analyze the first page loaded. By delaying malicious content through multiple redirects, attackers can evade detection.

Attackers sometimes tend to embed links associated with their own profiles or other Blogspot profiles into the source codes of websites. This strategy provides a clue for researchers or security experts, as these links in the source code can lead to the discovery of the attackers’ other profiles. Such a search is typically conducted recursively, meaning it progresses from one site’s source code to another, and then to other linked sites. This approach enables tracking the attackers’ online footprints and building an extensive network of connections.

With a simple utility that operates recursively, this type of Python code allows for the extraction of all links present on a website. After retrieving the initial links, it can further navigate through each one to identify additional embedded links. This process creates a comprehensive link collection, enabling a deeper exploration of the site’s structure and content. Such an approach is commonly used for web scraping and data extraction tasks.

The extracted links can be subjected to GET requests to check their response status. By analyzing the status codes returned from these requests, it becomes possible to determine which links are still active and functioning properly. This approach helps identify broken or inaccessible links, ensuring that only valid and responsive URLs are maintained. Such a validation process is essential for ensuring reliable website navigation and data integrity.

Threat actors create multiple pages under the names of well-known companies or individuals to carry out malicious activities. Examples of fake websites in a scammer profile are as follows:

Phishing attackers use multiple profile links to interconnect their fake blogs, allowing them to manage and expand their network more efficiently. By linking different profiles, they ensure that even if one account is taken down, others remain active, keeping the operation running smoothly.

This method also helps automate the creation and maintenance of phishing pages. Attackers can use scripts to generate new sites under different profiles while maintaining a unified network, making it harder for authorities to track and dismantle their entire operation.

The content of the blog pages discovered through recursive search is represented in the graph.

Analysis of the blogspot links found showed that a single profile could create around 40 different blogs. 71% of these sites are linked to phishing activities designed to trick users and obtain sensitive data. Furthermore, 8% of the sites were removed, possibly due to policy violations, while the rest consisted of legitimate blogs on various topics.

Following the analysis, a total of 1,421 profiles were identified, from which 47,838 Blogspot phishing links were extracted.

According to the analysis, the majority of links that users are coerced into clicking are shortened URLs. These links are often used to obscure the actual destination, making it more difficult for users and security systems to detect malicious content. This tactic is commonly employed in phishing campaigns to increase the likelihood of successful redirections to fraudulent websites.

How to Protect Against Blogspot Phishing Attacks

Phishing attacks are among the most common cyber threats, frequently carried out via free blog platforms such as Blogspot. To effectively protect against such attacks, both individuals and organizations must adopt a series of preventive measures:

1. Always Verify the URL:
   Users should carefully inspect the URL before accessing websites they believe belong to legitimate organizations. Minor misspellings, additional characters, or unfamiliar domain names are often signs of fraudulent sites designed to deceive visitors.

2. Use Link Verification Tools:
   Security analysis tools such as Google Safe Browsing and VirusTotal can help determine whether a link is malicious. These platforms assess the reputation of a URL before redirection, enabling users to identify and avoid potential threats in advance.

3. Beware of Complex Redirects:
   If clicking on a link leads to multiple redirects across different pages, this may indicate a malicious campaign. Users should remain cautious when encountering such behavior, as it is a common tactic used in phishing attempts.

5. Keep Browsers and Antivirus Software Updated:
   Modern browsers and security programs are equipped with real-time threat detection and alerting capabilities. Regular updates ensure that these tools remain effective against the latest phishing techniques and malware variants.
6. Leverage SOCRadar for Proactive Threat Protection:
   SOCRadar provides advanced threat intelligence to detect phishing campaigns conducted through platforms like Blogspot. With capabilities such as domain monitoring, Open-Source Intelligence (OSINT), and digital risk protection, potential threats can be identified at an early stage. SOCRadar enables not only defense but also proactive threat hunting by delivering rich contextual data that supports timely and informed action.

Finding Threat Actors

SOCRadar’s Threat Actor discovery tool provides valuable insights into the activities of threat actors, helping security teams track and identify malicious actors. A critical aspect of this tool is its ability to detect and analyze Indicators of Compromise (IOCs) associated with phishing and other malicious activities. Blogspot, a widely used platform owned by Google, has increasingly become a target for threat actors to host phishing pages and other malicious content.

Conclusion

The rise of Blogspot-based phishing sites highlights the evolving tactics of threat actors who exploit trusted platforms for malicious purposes. By leveraging Blogspot’s credibility, attackers create deceptive pages that lure users into providing sensitive information. Their use of multiple redirects, fake reviews, and embedded links further complicates detection and mitigation efforts.

As phishing attacks become more sophisticated, it is crucial for both individuals and organizations to stay informed about these tactics and continuously adapt their cybersecurity strategies. Maintaining awareness of the evolving methods used by scammers can lead to a more robust defense against such deceptive schemes.