Attackers are increasingly exploiting the fact that email gateways turn a blind eye to links to popular sites such as YouTube, in order to phish passwords from unsuspecting computer users.

Researcher Ashley Trans of Cofense highlighted the threat in a blog post describing a recent phishing campaign.

Cybersecurity Live - Boston

In the attack, an unsuspecting user receives an email which purports to come from SharePoint, claiming that a new file has been uploaded to his company’s SharePoint site.

To the untrained eye the email may appear legitimate, and an unwary user might click on the link contained inside the email without proper due care and attention.

A more cautious user might have hovered their mouse cursor over the link within the email, and found that it actually took them via YouTube.

Closer examination reveals that although the link in the email does indeed point initially at YouTube (youtube.com), it also sends a series of parameters telling YouTube to redirect any traffic to a URL at <companyname>[.]sharepointonline-ert[.]pw, which in turn ultimately takes the user’s browser to its final destination: a phishing page hosted on a legitimate Google site, googleapis.com.

In the attacks seen by Cofense’s research team, the phishing page poses as a harmless-looking Microsoft login page. The username field of the login page is automatically populated with the target’s email address, and any password entered is automatically sent to criminals.

Again, it’s easy to understand why users would believe the webpage to be genuine.

According to Cofense, it will not be obvious to most users that anything about the page is suspicious:

Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than (Read more...)