Threat actors are exploiting digital document publishing (DDP) sites such as FlipSnack, Issuu, Marq, Publuu, RelayTo and others for phishing and credential theft. Threat actors are repurposing these legitimate services for malicious activities.
These sites have a favorable reputation, are less likely to appear on web filter blocklists, and can give users a false sense of security. Adversaries have also used popular cloud services in the past (i.e. Google Drive, OneDrive, Dropbox, SharePoint, and DocuSign), but the use of DDP sites is an escalation, designed to evade email security controls.
DDP services let users upload and share PDFs in a browser-based flipbook format.
Threat actors abuse the free tiers or trial periods of these services to create multiple accounts and publish malicious documents. The transient file hosting feature of DDP sites, which allows content to automatically become unavailable after a set expiration date, is also exploited by attackers.
In the incidents Cisco Talos analyzed, DDP sites are integrated into the attack chain at the secondary or intermediate stage, usually by embedding a link to a document hosted on a legitimate DDP site in a phishing email. The DDP-hosted document leads to an external, adversary-controlled site, ending up on a fake Microsoft 365 login page, thus enabling the attackers to steal credentials or session tokens.
When you go to sign up for that conference, review a document or information published… think twice and verify!
Relevance:
Phishing Campaigns
Mitigations:
User awareness training
Reference
The Hacker News. (2024, March 19). Hackers exploiting popular document publishing sites for phishing attacks. https://thehackernews.com/2024/03/hackers-exploiting-popular-document.html
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.