By Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has detected a recent phishing campaign that imitates legitimate WeTransfer applications by setting up fake websites that appear genuine. This enables threat actors to bypass email security gateways (SEG) to lure users into sharing their credentials. WeTransfer is a file hosting site that allows users easy access to share files. With the popularity of the service, it’s likely users would overlook the threat level within the email. Threat actors have reimaged this site to entice unsuspecting recipients to click on a malicious link that redirects them to the phishing page, resulting in users handing over their credentials.

Let’s take a closer look at the email to spot the red flags.

Figure 1: Email Body

The threat actor has urged the recipient to respond to this email with urgency as shown above in Figure 1, “Pending files will be deleted shortly.” This adds urgency via the timestamps. The button for the user to click to “Get your files” disguises the malicious URL link that redirects to the WeTransfer phishing landing page. To make this more genuine, threat actors listed common document names.

Another interesting point is the authenticity of the email address. The threat actor has gone to the effort of spoofing the email address to assure recipients that the email has arrived from the correct WeTransfer top level domain: “@wetransfer.com”.

Next, we’ll dive deeper into the email addresses in the email header in Figure 2. Spoofing the email address is the most common technique used in phishing campaigns to gain the user’s trust. The Message-ID below states the top-level domain: @boretvstar[.]com which is not related to WeTransfer at all. Furthermore, we noted that @boretvstar[.]com is for sale and, when accessed, leads to an error page: “This site can’t be reached.” This is another red flag. And finally, there is the failed sender policy framework (SPF) checks, indicating it’s not an authentic address of wetransfer.com.

Figure 2: Email Header

It clear to see the lengths taken to make the phishing landing page seem as close to the legitimate “WeTransfer” page as possible. However, on further inspection, we note that the Apple and Google logos are missing from the login buttons, and the URL does not correspond to the legitimate URL.

Phishing URL: hXXps://weetraansfeer[.]freesuport[.]ga/transfer.php?file

Legitimate link: https://auth.wetransfer.com/login?state=

In the final stage of the attack, once the user clicks on the button, they are redirected to the fake WeTransfer page as shown on Figure 3. The user is prompted to enter their credentials to download the shared file. The phishing landing page is prepopulated with the user’s email address within the login field. After entering the password, the user is shown a failed login attempt, which is a common tactic used by threat actors. Moreover, there is also another option to authenticate users via different online platforms (Apple, Google or Slack). This is another common tactic threat actors use to harvest multiple credentials.