Researchers Warn About New WeTransfer Phishing Campaign With Spoofed Email Address

Researchers Warn About New WeTransfer Phishing Campaign With Spoofed Email Address

In a new phishing campaign that pretends to be from WeTransfer, attackers claim that someone shared two files with the recipient. It then asks for credentials to access the files, cybersecurity company Armorblox reports.

A new report by Armorblox reveals that cybercriminals are spoofing the WeTransfer file hosting system to launch credential phishing attacks.

The attacks usually involve sending emails that lead to a phishing page that features a Microsoft Excel branding.

The attackers’ aim is to steal the victims’ Office 365 email credentials, researchers said.

The email that appears to be from WeTransfer is very similar to the one sent by the company. It has the same title and email address. The spoofed email address is particularly deceptive, as it uses a legitimate WeTransfer domain.  The email body also makes references to the well-known organization to appear legitimate.

After clicking on the link, the victim is taken to a website that appears to be from Microsoft and leading to an Excel document. This page shows a blurred-out spreadsheet and a form that requires the victim to enter their email address in order to gain access to the file. The victim’s email address is pre-filled-in to add extra legitimacy to the whole process.

For sending emails, the attackers use the email domain valueserver.jp, which is based in Japan. This same domain was used in phishing attacks last year, as was reported by Infosec analyst Laur Telliskivi.

Operators of the current campaign used various techniques to get around email security scans. These include social engineering and recognizable branding, spoofing, and fake content to create an air of legitimacy.

This campaign’s brand impersonation technique seems to achieve its goals thanks to the email’s HTML styling being similar to WeTransfer and the phishing page designed to appear as Microsoft Excel’s legitimate login page. However, there was one thing that made it appear fishy — the word “Microsoft” was spelled as “MicroSoft.”

This is a reminder that online users should be attentive to minor inconsistencies in the emails, like a strange address, name, or domain name, the language used within the email body, etc.

Experts advise implementing multi-factor authentication (MFA) on all personal and business accounts.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: