publishing date icon
May 14, 2021
read time icon
5 min. read

File sharing sites Phish

Author image
Patrik Sulander, Eetu Lehto
Junior Threat Analysts
facebook iconLinkedin iconTwitter icon
Post hero image

Sharing isn’t always caring.

File sharing sites are an increasingly popular way to send documents person-to-person, especially with the pandemic-driven shift to remote work. But attackers have taken note of that popularity and are taking advantage.The file sharing phish is a different variety of the malicious phish species. It's seemingly blander and duller, but actually highly toxic.Traditionally, phishing emails contain a malicious payload, such as a link to a dangerous web site or an attachment. The link itself might not be malicious but, once clicked, it may trigger a malware download or shuttle the user to a credential harvesting site designed to trick the user into entering credentials with a false sense of security. Establishing trust is easier when posing as a recognized service.File sharing scams can quickly snowball into a major problem. Just one compromised email can fuel the scam campaign with an even greater trust rate.

What we’re seeing

Usually, phishing attacks induce hasty actions by awakening extreme emotions. Threats of dire consequences unless specific actions are taken are common. But these new file sharing messages are different. The messages themselves are crafted to mimic ordinary corporate comms that anyone could receive on any day. They don’t push the user too hard to act.And yet they remain effective by their sheer blandness. Because different organizations often use multiple services for sharing documents and data, users can be lulled into a false sense of security by the toned-down messaging within a trusted template.Many file sharing services today provide media hosting, file sharing, and combinations thereof. Attackers use these services often since they are easy to use and quick to set up. Common services we’ve seen appropriated for scams are Dropbox, Sharepoint, Adobe Spark, WeTransfer, MediaShuttle, Canva and Miro. Most of these messages and the content behind the links are quite similar but there are a few variations.One variation is that the message claims they have sent some files for the user to view. Then there is a link that takes the user to a hosting service where the user has to click another link and that takes the user to a credential harvesting site. Example below:

User clicks a “RFP_#SSW567-BID” -link in the message

File Share Credential Harvest Phish

Then the user is taken to Adobe Spark -service where the user has to click another link that takes the user to credential harvesting site

Some other messages have links for downloading malicious content from disk images to excel or word documents with macros. These messages look pretty similar but the links take the user to different sites, like WeTransfer.

WeTransfer Phish

And some emails look more realistic than others.

How it works

These phishing attacks slip past your defence in two ways. One, the message could be a legit notification that a file has been shared with you, originating from the service’s real servers. Or, two, it could be made to look like an ordinary business-to-business sales message.In both cases, it eludes spam filters and lands in your inbox, as if sent from your friend or colleague. Links lead to the real site, and sender names can be impersonated or email could even be compromised to seem like the item originates from someone you know. Recipients are then lured to download malicious content or enter credentials, which an attacker can exploit.

Why is it dangerous?

Attackers can’t succeed without participation from victims. Credentials don’t harvest themselves, links to malicious sites don’t click themselves, and malware doesn’t just download itself. Attackers fool victims by making them feel safe enough to overlook the danger and just dive in and do as directed.The overarching danger with the file sharing site phish lies in the fact that users trust these services. They are after all familiar, and hosted on trusted platforms provided by major companies. Previous use of the same hosting platform lulls the user into a false sense of security for opening links, downloading content or entering credentials.

Conclusion: If you see something, say something

With so many different services and media hosting platforms it is not easy for a user to keep track of what is safe and what is not. Luckily, services like this often have anti-virus scanning implemented and there is also an option to report the shared file. This often leads to the files being taken down before the majority of the recipients try to download them. But it is good to remember not to blindly trust something just because it is familiar.Always think critically when you are asked to enter credentials or to download something. With a critical eye and a cautious approach to links you can stay Off the HookPro tips:

  • Always hover and check the URL destination
  • Always be extra-cautious about downloadable content
  • When in doubt, confirm from the sender if the content is safe

Hoxhunt response

The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date–to ensure our training is at the cutting edge of the constantly-evolving threat landscape. We cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time. This level of agility ensures that Hoxhunt users are being drilled on spotting and reporting the latest actual threats making the rounds, and thus removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.

Subscribe to our newsletter