Threat actors have been observed hosting phishing documents on legitimate digital document publishing (DDP) sites as part of continuous session harvesting and credential attempts.
Since DDP sites are unlikely to be blocked by web filters, have a good reputation, and could give visitors the impression that they are trustworthy, hosting phishing lures on these sites increases the chance of a successful phishing attack.
“Digital Document Publishing sites” are online platforms that let users upload and share PDF files in a browser-based flipbook format.
Users can read a PDF in its entirety by turning pages without downloading the file, and certain DDP websites have functionality that enables additional document interaction.
Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo, and SimpleBooklet are a few DDP sites involved in the campaign.
Attackers Leverage DDP Sites For Ongoing Credential And Session Token Theft
Recently, as part of continuing credential and session harvesting attempts, threat actors have been hosting phishing documents on legitimate digital document publishing sites like Publuu and Marq.
In the Publuu case, phishing emails with the subject “New Document from [third-party vendor]” were sent to several people at the targeted company using a compromised email account that belonged to a reliable third-party vendor. The email’s body contained a link that opened a Publuu flipbook.
“The phishing document was a generic, widely used file observed in similar attacks on other DDP sites.
However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document”, Talos researchers shared with Cyber Security News.
The user was redirected to a Cloudflare CAPTCHA after clicking the “VIEW ONLINE PDF” link.
Using the CAPTCHA probably serves two purposes: it shields the credential harvesting page from automated access and presents a genuine website to users who click on the phishing link.
“After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor”, researchers said.
In the case of Marq, every page was set up with a distinct URL utilizing the top top-level domain, in contrast to some activity clusters on other DDP sites. The URL query string tkmilric was another feature shared by all URLs incorporated in the phishing document.
These features most likely point to a campaign that uses the same lure and customized or DGA-generated domains to collect session tokens for Microsoft 365 components.
Mitigations
- Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls.
- Set up email security settings to recognize and notify recipients of links in emails that contain common URLs for DDP sites.
- Utilize threat intelligence to detect recently established websites associated with recognized dangers promptly.
- Keep an eye out for any changes in behavior in the internal environment of the company.
- Include information on DDP sites and other cloud-hosted phishing attack techniques in user security awareness training.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
