Hackers are abusing the popular file-sharing service called WeTransfer to circumvent defensive email gateways that are designed to block spam messages with malicious URLs. Researchers have observed an uptick in attacks targeting banking, power and media industries using this technique.
The hack abuses WeTransfer’s file sharing service, which allows any user to upload a file and share it with someone via an email link. Things get dicey when that file is an HTM or HTML file redirecting to a phishing landing page.
“The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them,” wrote Jake Longden, threat analyst with Cofense, in a blog post outlining the hack.
Click to Enlarge
To abuse the service, first a user inputs a “from” email address and a recipient email address into the WeTransfer interface and uploads a file. Next, the sender can customize a message that the recipient sees.
“Here, the threat actor will often write a note stating that the file is an invoice to be reviewed,” Longden wrote. This is a common phishing ploy to pique the user’s interest, he added.
“When the user clicks on the ‘Get your files’ button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page,” the researcher said.
Click to Enlarge
The attack continues with victims asked to enter their Office365 credentials to login to retrieve the file. The researcher added, recent campaigns have targeted Microsoft Services, but other brands have also been spoofed.
WeTransfer did not return multiple requests to comment for this article.
Cofense said that popular services such as WeTransfer are not viewed often enough as potentially dangerous by email security gateways. “These links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites,” Longden said.
