By Jake Longden, Cofense Phishing Defense Center
Abusing legitimate services for use in phishing attacks is nothing new. It’s a tactic that assists the threat actor in evading secure email gateways (SEGs) by presenting what appears to be a legitimate and safe page to redirect the recipient to the malicious landing page.
The Cofense Phishing Defense Center (PDC) has observed multiple phishing campaigns abusing the Linktree social media reference landing page to host the redirect link to the phishing page. Linktree was designed to provide a landing page for multiple links associated with the user, an online business card for social media.
The features offered by Linktree make this a highly customizable tactic as the page can be modified to suit the needs of the threat actor for whomever they’re impersonating.
Email Body
Figure 1: Email Body
In this case, for authenticity, the threat actor has created a professional looking email that references an invoice that’s due to be paid. Combined with the subject line, “We processed your copy today!”, the user can be deceived into believing this is a legitimate and newly processed invoice.
When the recipient opens the email, they see an attached image impersonating an attached PDF file to download that’s embedded in the message body at the top of the email, along with the malicious URL attached to the image. Underneath is the message requesting that the recipient see the attached invoice for “Processing and Payment.” The threat actor has also provided an email address ([email protected]) to be copied into replies if the user has questions regarding the invoice. This tactic adds a level of authenticity as it’s common for accounts payable teams to use a group account for processing documents.
Phishing Page
Figure 2: Linktree Page
The email address provided has a “mailto” URI linked to it, making it easier to begin emailing the threat actor/s if the user chooses to. Once the user has clicked the link in the email, they are sent to the Linktree page that they have called “SafeDocuments” to lower user suspicions. Here, the threat actor has again included a PDF logo at the top of the page, with associated data about the file to download or view. When the recipient clicks the “Download / View PDF” file link, they are next directed to log in, shown in Figure 3-4. In Figure 3, the recipient is presented with two realistic cloned Microsoft pages. With the first, they’re asked to verify their email address to receive the ”Scanned Doc(s) iCloud.pdf”, then (Figure 4) they’re asked for their password to the Office365 Login page.
Figure 3: Verification Page
Figure 4: Phishing Page
The customizability of the Linktree pages allows this attack to be modified easily by the threat actor to suit whatever purpose they may have. The Cofense PDC has observed similar campaigns spoofing major brands such as PayPal and the United States Postal Service using the Linktree platform. The ability to change background images makes it simple to impersonate almost any brand.
Well-conditioned users are better positioned to recognize these campaigns as suspicious. They can then immediately report them to their security operations teams using Cofense Triage and Vision solutions. These tools allow security teams to efficiently mitigate risks such as these to prevent a potentially disastrous phishing incident. To learn more about these and other phishing-defense solutions, contact us at any time.
Figure 5: USPS LinkTree Page
Network IOC | IP |
hXXps://linktr[.]ee/safedocuments | 151.101.2.133 151.101.66.133 151.101.130.133 151.101.194.133 |
hXXps://intradrugslynwood[.]com/4av/new/s/? | 162.214.127.16 |
hXXps://linktr[.]ee/package_error | 151.101.66.133 151.101.130.133 151.101.194.133 151.101.2.133 |
hXXps://redelivery-usposts-review[.]com/confirmation-US456 4AP5004AZP546/required/re/redelivery/ |
162.0.235.152 |