Friday, November 15, 2024
HomeCyber AttackHackers Abuse Document Publishing (DDP) Websites to Launch Cyber Attacks

Hackers Abuse Document Publishing (DDP) Websites to Launch Cyber Attacks

Published on

Threat actors have been observed hosting phishing documents on legitimate digital document publishing (DDP) sites as part of continuous session harvesting and credential attempts. 

Since DDP sites are unlikely to be blocked by web filters, have a good reputation, and could give visitors the impression that they are trustworthy, hosting phishing lures on these sites increases the chance of a successful phishing attack.

“Digital Document Publishing sites” are online platforms that let users upload and share PDF files in a browser-based flipbook format.

- Advertisement - SIEM as a Service

Users can read a PDF in its entirety by turning pages without downloading the file, and certain DDP websites have functionality that enables additional document interaction. 

Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo, and SimpleBooklet are a few DDP sites involved in the campaign.

Attackers Leverage DDP Sites For Ongoing Credential And Session Token Theft

Recently, as part of continuing credential and session harvesting attempts, threat actors have been hosting phishing documents on legitimate digital document publishing sites like Publuu and Marq.

In the Publuu case, phishing emails with the subject “New Document from [third-party vendor]” were sent to several people at the targeted company using a compromised email account that belonged to a reliable third-party vendor. The email’s body contained a link that opened a Publuu flipbook.

“The phishing document was a generic, widely used file observed in similar attacks on other DDP sites.

However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document”, Talos researchers shared with Cyber Security News.

The phishing document
The phishing document

The user was redirected to a Cloudflare CAPTCHA after clicking the “VIEW ONLINE PDF” link.

Using the CAPTCHA probably serves two purposes: it shields the credential harvesting page from automated access and presents a genuine website to users who click on the phishing link.

“After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor”, researchers said.

Replica of a Microsoft 365 authentication page
Replica of a Microsoft 365 authentication page

In the case of Marq, every page was set up with a distinct URL utilizing the top top-level domain, in contrast to some activity clusters on other DDP sites. The URL query string tkmilric was another feature shared by all URLs incorporated in the phishing document. 

Marq page hosting the phishing document
Marq page hosting the phishing document

These features most likely point to a campaign that uses the same lure and customized or DGA-generated domains to collect session tokens for Microsoft 365 components.

Mitigations

  • Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls.
  • Set up email security settings to recognize and notify recipients of links in emails that contain common URLs for DDP sites.
  • Utilize threat intelligence to detect recently established websites associated with recognized dangers promptly. 
  • Keep an eye out for any changes in behavior in the internal environment of the company.
  • Include information on DDP sites and other cloud-hosted phishing attack techniques in user security awareness training.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...