Security Alert: Document Sharing Sites Used For Phishing Attacks

Document Sharing Sites Used For Phishing Attacks

Published on March 20th, 2024

Threat actors are now utilizing digital document publishing (DDP) platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for conducting phishing campaigns, stealing credentials, and hijacking session tokens.

This once again highlights the trend of malicious actors repurposing legitimate services for their harmful activities.

According to Craig Jackson, a researcher at Cisco Talos, “By hosting phishing lures on DDP sites, the chances of a successful phishing attack are heightened.

You May Also Like: 9 Cyber Security Tips to Increase Your Business Productivity

These platforms often boast positive reputations, are less likely to be blocked by web filters, and might deceive users into feeling secure due to their familiar and legitimate appearance.”

Security Alert Document Sharing Sites Used For Phishing Attacks

While adversaries have previously utilized well-known cloud services like Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing materials, this recent development represents a new level of escalation aimed at circumventing email security measures.

DDP services offer a tempting allure: uploading PDFs and transforming them into interactive flipbooks with fancy page turns and visual effects. This makes them perfect for sharing brochures, catalogs, or magazines online.

You May Also Like: What Programing Languages Are Best For Cyber Security?

However, there’s a dark side to this convenience. Malicious actors have discovered they can exploit these services for their own gain. Here’s how:

  • Free Ride, Bad Intentions: Threat actors abuse the free tiers or trial periods offered by DDP services. This allows them to create multiple accounts at no cost, perfect for launching widespread phishing campaigns.
  • Trusted Facade, Malicious Content: The established reputation of DDP services gives attackers a cloak of legitimacy. Recipients might be more likely to trust a link from a known DDP platform.
  • Disappearing Act: Many DDP sites offer transient file hosting. Attackers can leverage this feature to make their malicious documents disappear after a set timeframe, potentially evading detection by security measures.

Moreover, the built-in productivity functionalities found in DDP platforms such as Publuu could serve as a barrier, hindering the extraction and identification of malicious links within phishing communications.

Phishing Attack on document sharing sites

In the incidents scrutinized by Cisco Talos, DDP services are interwoven into the attack sequence during the intermediary or subsequent phase.

Typically, this involves embedding a hyperlink to a document hosted on a legitimate DDP platform within a phishing email.

This document hosted on the DDP then acts as an entry point to an external site controlled by the adversaries.

Access can be gained either directly by clicking a link within the deceptive file or through a series of redirects, which also incorporate CAPTCHAs to impede automated analysis attempts.

The ultimate landing page mirrors a counterfeit Microsoft 365 login portal, enabling the perpetrators to pilfer credentials or session tokens.

“DDP platforms may present a blind spot for defenders, as they are unfamiliar to trained users and improbable to trigger alerts from email and web content filtering systems,” remarked Jackson.

“DDP services offer advantages for threat actors aiming to evade modern phishing safeguards.

The very features and functionalities that draw genuine users to these platforms can be exploited by malicious actors to enhance the effectiveness of a phishing assault.

You May Also Like: 7 Types Of Cyber Security Threats Every Small Business Owner Should Be Aware Of

How To Stay Safe From Phishing On Document Sharing Sites

How To Stay Safe From Phishing On Document Sharing Sites

  • Be Wary of Unsolicited Links: Don’t click links in emails or messages claiming to be from document sharing services unless you’re expecting them.
  • Verify Sender Identity: Check the sender’s email address carefully for typos or inconsistencies.
  • Hover Over Links (Safely): Many email clients allow you to hover over a link to see the true destination URL before clicking. Be cautious of URLs that appear different from what’s displayed in the text.
  • Look for Legitimate URLs: Legitimate document sharing sites often have specific URL structures. Learn the format used by the platform you normally use.
  • Don’t Enter Login Credentials on Unknown Sites: If you’re unsure of a site’s legitimacy, don’t enter your login information for any document sharing service.
  • Report Phishing Attempts: If you encounter a suspicious email or link, report it to the document sharing service and your email provider.