When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites
Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.
First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:
“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”
Why is file-sharing a target? Because users trust these services.
In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say, Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.
It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.
User interaction is related to the business process.
We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.
This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.
One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:
- “Am I expecting to receive an invoice from the sender?”
- “Does my job normally require me to process invoices from unknown sources?”
- If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.
To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.
View all 6 Cofense phishing predictions for 2019.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.