Threat actors have been observed hosting phishing documents on legitimate digital document publishing (DDP) sites as part of continuous session harvesting and credential attempts.
Since DDP sites are unlikely to be blocked by web filters, have a good reputation, and could give visitors the impression that they are trustworthy, hosting phishing lures on these sites increases the chance of a successful phishing attack.
“Digital Document Publishing sites” are online platforms that let users upload and share PDF files in a browser-based flipbook format.
Users can read a PDF in its entirety by turning pages without downloading the file, and certain DDP websites have functionality that enables additional document interaction.
Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo, and SimpleBooklet are a few DDP sites involved in the campaign.
Recently, as part of continuing credential and session harvesting attempts, threat actors have been hosting phishing documents on legitimate digital document publishing sites like Publuu and Marq.
In the Publuu case, phishing emails with the subject “New Document from [third-party vendor]” were sent to several people at the targeted company using a compromised email account that belonged to a reliable third-party vendor. The email’s body contained a link that opened a Publuu flipbook.
“The phishing document was a generic, widely used file observed in similar attacks on other DDP sites.
However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document”, Talos researchers shared with Cyber Security News.
The user was redirected to a Cloudflare CAPTCHA after clicking the “VIEW ONLINE PDF” link.
Using the CAPTCHA probably serves two purposes: it shields the credential harvesting page from automated access and presents a genuine website to users who click on the phishing link.
“After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor”, researchers said.
In the case of Marq, every page was set up with a distinct URL utilizing the top top-level domain, in contrast to some activity clusters on other DDP sites. The URL query string tkmilric was another feature shared by all URLs incorporated in the phishing document.
These features most likely point to a campaign that uses the same lure and customized or DGA-generated domains to collect session tokens for Microsoft 365 components.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…