By Jake Longden, Cofense Phishing Defense Center
Abusing legitimate services for use in phishing attacks is nothing new. It’s a tactic that assists the threat actor in evading secure email gateways (SEGs) by presenting what appears to be a legitimate and safe page to redirect the recipient to the malicious landing page.
The Cofense Phishing Defense Center (PDC) has observed multiple phishing campaigns abusing the Linktree social media reference landing page to host the redirect link to the phishing page. Linktree was designed to provide a landing page for multiple links associated with the user, an online business card for social media.
The features offered by Linktree make this a highly customizable tactic as the page can be modified to suit the needs of the threat actor for whomever they’re impersonating.
Figure 1: Email Body
In this case, for authenticity, the threat actor has created a professional looking email that references an invoice that’s due to be paid. Combined with the subject line, “We processed your copy today!”, the user can be deceived into believing this is a legitimate and newly processed invoice.
When the recipient opens the email, they see an attached image impersonating an attached PDF file to download that’s embedded in the message body at the top of the email, along with the malicious URL attached to the image. Underneath is the message requesting that the recipient see the attached invoice for “Processing and Payment.” The threat actor has also provided an email address ([email protected]) to be copied into replies if the user has questions regarding the invoice. This tactic adds a level of authenticity as it’s common for accounts payable teams to use a group account for processing documents.
Figure 2: Linktree Page
The email address provided has a “mailto” URI linked to it, making it easier to begin emailing the threat actor/s if the user chooses to. Once the user has clicked the link in the email, they are sent to the Linktree page that they have called “SafeDocuments” to lower user suspicions. Here, the threat actor has again included a PDF logo at the top of the page, with associated data about the file to download or view. When the recipient clicks the “Download / View PDF” file link, they are next directed to log in, shown in Figure 3-4. In Figure 3, the recipient is presented with two realistic cloned Microsoft pages. With the first, they’re asked to verify their email address to receive the ”Scanned Doc(s) iCloud.pdf”, then (Figure 4) they’re asked for their password to the Office365 Login page.
Figure 3: Verification Page