COVID-19 Phishing Update: File Sharing Services Abused to Steal Credentials

As enterprise workforces continue to transition to remote environments, online file sharing and cloud storage tools are becoming a frequent, if not necessary means of collaboration. While abusing these types of platforms is
nothing new to threat actors, the lures they use are now taking advantage of the novel coronavirus. The two examples below demonstrate how. 
 
We are providing
ongoing updates
on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.

Screen Shot 2020-05-14 at 11.18.05 AM
 
In the first example, a global financial institution is targeted with a malicious link referencing COVID-19. 
 
A malicious file is shared with the victim through a link on a popular file-hosting service. 
 
Sender’s address:
no-reply@{redacted}.com. 
 
Screen Shot 2020-05-14 at 11.27.41 AM
By following the link to access the file, the victim is presented with a malicious document that uses similar logos found in the platform’s email and website in order to create a feeling of legitimacy:
hXXps://www.{redacted}.com/scl/fi/seqlhhc01c27s9t8639cw/(redacted)-(redacted)-2020-COVID.19-IPG735978024.pdf?dl=0&new_user=1&oref=e&r=ABLOA43Lu9leZH6KtXLT18yTWpYHjj0nErV_m78wD4IERfpFhoLZhBXOzLYRbiBLcRsJF-irkzwJKCKaF9yPbO1gbiA3J-bZq-iSfXw4hbO4aCCP7lH1plRLcleLb5WVr85nK1cuQ1zaotassHc3RHL68IpVP793scInSMuVYqgazc2bOJa0lvDHoRWtB2SsNkuREjXoJbTBPx-a9-4_AKpz&sm=1

Screen Shot 2020-05-14 at 11.35.59 AM
 
If the victim follows the link to “Access your file” they are redirected to a credential theft site where they are prompted to enter their account information:
hXXps://storage(dot)googleapis(dot)com/westartcoding(dot)appspot(dot)com/O%20N%20%20B%20B%20%20D%20D%20ED%20R%20T%20%20O%20O%20K%20%20B%20B%20V%20D%20D%20WE%20%20T%20U%20I%20N%20B%20D%20E%20T%20%20%20I%20I%20J%20B%20V%20FDR%20T%20%20Y%20UI%20%20K%20JM%20N%20.HTML

Screen Shot 2020-05-14 at 3.26.23 PM
 
The second example was observed targeting an international law firm.
 
Sender’s address:
qmailq@cloud1-vm350.de-nserver.de
 
The page has since been removed, however based on the directory path, it led to a fake Microsoft Office login designed to steal account credentials: 
hXXps://ispydeal(dot).com/http/Office/SSL/Login/cmd-login=421b0bb34445aaeca8034a475d86fc55/fne35yyov5a8ktksml8pss4s.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email={redacted}@{redacted}.com&loginpage=&.rand=13InboxLight.aspx?n=1774256418&fid=4#n=1252899642&fid=1&fav=1.
 
The national jobforce has seen a mass transition to remote work as a result of the pandemic, with some companies choosing to make the change a
permanent one. With this, online file sharing services and collaboration tools are becoming a necessary part of internal communication for many organizations. As these examples have shown, threat actors are taking advantage of these changes to further exploit COVID-19 anxieties to steal employee credentials. 
 
For more intelligence on COVID-19 threats,
see our ongoing coverage.


*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Jessica Ellis. Read the original post at: https://info.phishlabs.com/blog/covid-19-phishing-update-file-sharing-services-abused