Blox Tales: WeTransfer Credential Phishing
In today’s Blox Tale, we will look at a credential phishing attack that spoofs a WeTransfer file-sharing notification. The email link leads to a phishing page replete with Microsoft Excel branding and aims to extract the victims’ O365 email credentials.
Org mailboxes: ~850
Email Provider: Office 365
Techniques used: Social engineering, brand impersonation, replicating existing workflows
Fig: Credential phishing attack spoofing a WeTransfer file-sharing notification
This email claims to come from WeTransfer, has ‘Wetransfer’ as the sender name, and is titled ‘View Files Sent Via WeTransfer’. The email bears enough surface-level similarity to a real WeTransfer email to pass the eye tests of unsuspecting victims. The email body references the victim’s company multiple times, further strengthening its supposed legitimacy.
The email claims that two files have been shared with the victim via WeTransfer and includes a link to view the files. A snapshot of the email is given below:
Fig: Email spoofing a WeTransfer file-sharing notification
The domain of the email sender was ‘valueserver[.]jp’, which is a web hosting provider based out of Japan. Laur Telliskivi, an infosec analyst, wrote about the same domain being used in phishing attacks last year.
Fig: The email sender domain belongs to a web hosting provider in Japan
The Phishing Page
Clicking the ‘View Files’ link in the email leads victims to a phishing page replete with Microsoft Excel branding. The page contains a blurred out spreadsheet in the background and a form to capture login details in the foreground. The victim’s email address is already pre-filled in the form, further helping the attack pass eye tests and inducing quicker action.
Fig: Phishing page spoofing Microsoft Excel that asks for victims’ O365 credentials
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
- Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate company (WeTransfer), and a sense of urgency because it claimed the victim was sent some files - files they would be eager to view. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
- Brand impersonation: The email has HTML stylings similar to real emails from WeTransfer. The phishing page contains Microsoft Excel branding. While it has some inconsistencies - like saying MicroSoft instead of Microsoft - it bears enough resemblance to a real page to be dangerous.
- Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (transfering files online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The login page even has the victim’s email address pre-filled to further speed up the chances of a response.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past Office 365 email security. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a WeTransfer link leading to an Excel page? Why does the sender name say ‘Wetransfer’ without the capital T?).
3. Follow MFA and password management best practices
Although we didn’t observe the entire vishing flow for these attacks, vishing call scripts often include attempts to extract victims’ account credentials in addition to their credit card details.
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software like LastPass or 1password to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
- Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.