Cyber THREAT ADVISORY
Shivanna Gundanavar
Sr Solution Architect Azure-OCI-AWS-GCP-Cloud Expert-Cloud Security, MultiCloud Infra and migration expert.
“WeTransfer” used in malicious spam campaigns"
Hackers are abusing the popular file-sharing service called “WeTransfer” to circumvent defensive email gateways that are designed to block spam messages with malicious URLs.
What is the issue?
* Researchers have observed an uptick in attacks targeting Banking, Power and Media Industries using this technique.
* The hack abuses WeTransfer’s file sharing service, that allows any user to upload a file and share it with someone via an email link.
* To abuse this service, first a user inputs a “From” email address and a recipient email address into the “WeTransfer” interface and uploads a file. Next, the sender can customize a message that the recipient sees.
* In this campaign, the threat actor often writes a note stating that the file is an “Invoice” to be reviewed.
* When the user clicks on the “Get your files” button in the message body, the user is redirected to the “WeTransfer” download page, where the HTM or HTML file is hosted and thus, downloaded by the unsuspecting victim.
* When the user opens the “*.html” file, they are redirected to the main phishing page.
* Later, the attack continues with victims asked to enter their Office365 credentials to log in to retrieve the file.
What should you do?
* Be careful of emails containing attachments that pretend to be invoiced.
* Do not click links that look suspicious.
* To be safe, always scan the links before opening them.
* Users must check the legitimacy of the websites that they are visiting.
* When receiving emails that lead to login forms, make sure to examine the URL where the form resides before entering your login credentials.