Phishing Attacks on File-Sharing Services Show Sharing Isn’t Always Caring

There are multiple ways in which attackers abuse the convenience of cloud-based services in our current cyber landscape. In my latest research, which I will be presenting at Black Hat 2019 on August 7, I have delved into one of these fast-growing threats: the exploitation of file-sharing services.

Here’s the deal: Cybercriminals are using these services for credential harvesting and to distribute malicious files and links.

Attackers aim for convenience and phishing attacks that abuse file-sharing services are relatively easy to execute. Cybercriminals are doubling down on this tactic because traditional web security measures have limited insight into the files housed by these services. Additionally, host services are often unable to access permissions-only URLs, making malicious content used in spear phishing attacks difficult to detect.

Trust is one of the many emotional triggers cybercriminals appeal to. For these reasons, the highest usage rates come from historically “trusted” services such as Dropbox, OneDrive and Google Drive because they increase the user’s likelihood of engagement. Attackers hide their vicious intentions behind the domain’s reputation.

Multiple threat actors use this technique to attack Mimecast and Mimecast customers. The map below shows the geographic origins of one of these threat actors.

The following graph breaks down which sectors this specific threat actor targeted most.

The Two Main Attack Vectors: Credential Harvesting and the Evasion of Content Scanning 

In credential phishing pages, attackers use forms or survey services of the domain. They imitate the look of the legitimate domain’s sign-in page on the legitimate domain. However, instead of signing in, users are completing a fake form or survey and sending their credentials to attackers.

Cybercriminals also use file-sharing services to evade content scanning. Since the domain that an attacker uses in the email/attachment is very well-known for its file-sharing services, the attacker can pass spam filters easier than with the low reputation file-sharing website links. Below is an example email which uses a legitimate file-sharing service, OneDrive, to initiate an attack. 

When the victim clicks on the link, they are directed to a website with a high reputation domain. However, the downloaded file carries malicious content or directs the user to a phishing page imitating  a sign-in page. 

To highlight what is going on behind the scenes, we drilled down on over 30 file-sharing sites that have been associated with malicious activity of some threat actors and heavily abused over the last quarter. 

There are some interesting findings as well as some expected outcomes from this research.

One of the observations we noted is that attackers will change the initial phishing URL when it is exposed. Since they have layers in the threat model, all they need is to get a new link from file-sharing services. Below is an example. You’ll notice when hovering over the Adobe Acrobat logo, the corresponding domain does not match.

Phishing scams can lead to impersonation attacks, loss of confidential information and more. For these reasons, cybersecurity awareness training is crucial in protecting your company’s network. It is important that, as users, we can identify and flag fraudulent URLs and malicious attachments before they do harm.  

I will be discussing this and more during my presentation, Post Breach Threat Intelligence vs. Human Error, at Black Hat 2019 in Las Vegas on August 7. I’ll be joined by my colleague Josh Douglas, Vice President of Threat Intelligence.

We’ll be examining how threat models have evolved from email-borne malicious URLs to malicious URLs hidden in files on these cloud services. We will also define which sectors are most at-risk and share what we have improved on our end at Mimecast to detect these attacks.

We hope to see you in Las Vegas!