The cyber attacks they never stop, and on this occasion a new mode of phishing who pretends to be WeTransfer, the platform for sending and receiving files.
It should be remembered that phishing is a social engineering strategy used by cybercriminals to steal credentials and commit fraud with them or obtain sensitive information. They usually impersonate companies by copying their logos and fonts to send emails with malicious links.
Having said that, it should be noted that on this occasion the attackers emails from WeTransfer were duplicated. They send fake emails to their victims hoping that they will click on a link that supposedly leads to the file download site.
However, by clicking on the malicious link, the victims give the attackers access. Such a situation can be extremely dangerous, especially if a company’s equipment is being used.
The one who warned about this new scam was Marcos Besteiro, executive director of the training portal, ACEDIS, through his Twitter account. He said that some of his co-workers received the email, which they realized was apocryphal when they noticed some oddities.
Firstly, to realize that it was a phishing mail, was that they weren’t expecting to receive files from anyone that day. Second, they hovered over the link to see which address it pointed to. Thanks to these two signals they alerted their team.
“The malicious script they have, collects that email, to know where the click comes from, eliminates the user, and keeps the domain. In our case, it ends at http://acedis.com, which is our website”, informed Besteiro.
Put more simply, when the attacker gets a worker to click on the malicious link, their system checks where it came from. Normally, companies give their employees emails such as “[email protected]”, thus identifying that the victim was a Telefónica employee.
“Now him script opens an iframe with that domain full screen, so that it seems that you are on the website of your own company. And on that frame, they position a login window of theirs, so that if you click and think you have to enter your website, it captures your username and password”, he pointed out.
In other words, with the information obtained, they “duplicate” the company’s site so that the victim believes that they are really in it. When you try to log in, you enter your username and password, these are stolen by the cybercriminal.
If the person is clueless, they will not notice that the site is a copy and enter your data. The information, being under the domain of the attackers, can be used to access the business account and carry out attacks or demand ransom money.
Besteiro explained that the malicious script is hosted on ipfs.io, which is a p2p web system (interplanetary file system) to share content where each member is a node in the network.
How can you avoid these types of scams?
To avoid falling into a fraud such as phishing, you must reinforce security in electronic devices and navigation, for example:
– Use the two-step verification system in accounts.
– Check that the URL of the websites start with “https”.
– Be wary of incredible offers or that offer quick ways to earn money.
– Remember that legitimate websites do not request passwords or financial information through messages.
– Use a complete and reliable security solution to be protected.
– Have updated software. In this way one makes sure that the operating system has the necessary patches or corrections to be protected against possible attacks.
– Avoid public WiFi connection, without password protection and where all traffic can be exposed. Ideally, use a reliable VPN to connect, especially if you are going to enter sensitive data on the web.
