Cofense Email Security

Linktree Abused to Send Phishing Links

By Jake Longden, Cofense Phishing Defense Center

Abusing legitimate services for use in phishing attacks is nothing new. It’s a tactic that assists the threat actor in evading secure email gateways (SEGs) by presenting what appears to be a legitimate and safe page to redirect the recipient to the malicious landing page.

The Cofense Phishing Defense Center (PDC) has observed multiple phishing campaigns abusing the Linktree social media reference landing page to host the redirect link to the phishing page. Linktree was designed to provide a landing page for multiple links associated with the user, an online business card for social media.

The features offered by Linktree make this a highly customizable tactic as the page can be modified to suit the needs of the threat actor for whomever they’re impersonating.

Email Body

Graphical user interface, text, application, email Description automatically generated

Figure 1: Email Body

In this case, for authenticity, the threat actor has created a professional looking email that references an invoice that’s due to be paid. Combined with the subject line, “We processed your copy today!”, the user can be deceived into believing this is a legitimate and newly processed invoice.

When the recipient opens the email, they see an attached image impersonating an attached PDF file to download that’s embedded in the message body at the top of the email, along with the malicious URL attached to the image. Underneath is the message requesting that the recipient see the attached invoice for “Processing and Payment.” The threat actor has also provided an email address ([email protected]) to be copied into replies if the user has questions regarding the invoice. This tactic adds a level of authenticity as it’s common for accounts payable teams to use a group account for processing documents.

Phishing Page

Graphical user interface, text, application Description automatically generated

Figure 2: Linktree Page

The email address provided has a “mailto” URI linked to it, making it easier to begin emailing the threat actor/s if the user chooses to. Once the user has clicked the link in the email, they are sent to the Linktree page that they have called “SafeDocuments” to lower user suspicions. Here, the threat actor has again included a PDF logo at the top of the page, with associated data about the file to download or view. When the recipient clicks the “Download / View PDF” file link, they are next directed to log in, shown in Figure 3-4. In Figure 3, the recipient is presented with two realistic cloned Microsoft pages. With the first, they’re asked to verify their email address to receive the ”Scanned Doc(s) iCloud.pdf”, then (Figure 4) they’re asked for their password to the Office365 Login page.

Graphical user interface, text, application Description automatically generatedFigure 3: Verification Page

A screenshot of a computer Description automatically generated

Figure 4: Phishing Page

The customizability of the Linktree pages allows this attack to be modified easily by the threat actor to suit whatever purpose they may have. The Cofense PDC has observed similar campaigns spoofing major brands such as PayPal and the United States Postal Service using the Linktree platform. The ability to change background images makes it simple to impersonate almost any brand.

Well-conditioned users are better positioned to recognize these campaigns as suspicious. They can then immediately report them to their security operations teams using Cofense Triage and Vision solutions. These tools allow security teams to efficiently mitigate risks such as these to prevent a potentially disastrous phishing incident. To learn more about these and other phishing-defense solutions, contact us at any time.

Graphical user interface, application Description automatically generated

Figure 5: USPS LinkTree Page

Network IOC IP
hXXps://linktr[.]ee/safedocuments

151.101.2.133

151.101.66.133

151.101.130.133

151.101.194.133

hXXps://intradrugslynwood[.]com/4av/new/s/? 162.214.127.16
hXXps://linktr[.]ee/package_error

151.101.66.133

151.101.130.133

151.101.194.133

151.101.2.133

hXXps://redelivery-usposts-review[.]com/confirmation-US456
4AP5004AZP546/required/re/redelivery/
162.0.235.152
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.