cerrar
cerrar
Su red del mañana
Su red del mañana
Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.
          Descubra Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Netskope debuta como Líder en el Cuadrante Mágico™ de Gartner® para Single-Vendor SASE
              Protección de la IA generativa para principiantes
              Protección de la IA generativa para principiantes
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Prevención moderna de pérdida de datos (DLP) para Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Libro SD-WAN moderno para principiantes de SASE
                  Modern SD-WAN for SASE Dummies
                  Deje de ponerse al día con su arquitectura de red
                    Entendiendo dónde está el riesgo
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                            Netskope GovCloud
                            Netskope logra la alta autorización FedRAMP
                            Elija Netskope GovCloud para acelerar la transformación de su agencia.
                              Let's Do Great Things Together
                              La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.
                                Soluciones Netskope
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Soporte técnico Netskope
                                  Soporte técnico Netskope
                                  Nuestros ingenieros de soporte cualificados ubicados en todo el mundo y con distintos ámbitos de conocimiento sobre seguridad en la nube, redes, virtualización, entrega de contenidos y desarrollo de software, garantizan una asistencia técnica de calidad en todo momento
                                    Vídeo de Netskope
                                    Netskope Training
                                    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube. Estamos aquí para ayudarle a proteger su proceso de transformación digital y aprovechar al máximo sus aplicaciones cloud, web y privadas.

                                      Amazon-themed PDF Phishing, Abusing LinkedIn and Twitter, Targets Microsoft Live Outlook Users

                                      Oct 26 2023

                                      Summary

                                      In August 2023, Netskope Threat Labs highlighted an increase in downloads of PDF phishing attachments in Microsoft Live Outlook, caused by a series of phishing campaigns targeting users of the email service. We took a closer look and found that these campaigns are mostly Amazon-themed scams with a few Apple and IRS-themed phishing attempts sprinkled throughout. Just like in our previously reported phishing blog posts, attackers are abusing free services in these campaigns. In this campaign, they abuse conversion trackers and redirectors to evade detection. Additionally these campaigns specifically targeted personal Microsoft Live Outlook accounts in North America, Southern Europe, and Asia. Let’s take a closer look at the details of these campaigns:

                                      Amazon-themed phishing campaign

                                      Netskope Threat Labs recently analyzed the cause of an increase in malware downloads from Microsoft Live Outlook and found that a major contributor was a variety of Amazon-themed phishing PDF attachments. The sender purports to be a member of the Amazon support team notifying recipients that their account has been suspended due to incorrect billing information. In order to supposedly rectify the situation, the users need to update their billing information by clicking the hyperlink. The attacker is abusing different redirectors with URL shorteners to hide the actual malicious URL and evade detection.

                                      Some of the phishing links used in these campaigns lead to a compromised website that mimics PayPal’s page, where they ask users to fill up personal information and credit card details.

                                      In some of the other scam campaigns we analyzed, even though the PDF attachment is requesting their targets to re-enter their Amazon billing information, some of the links redirect to other sites unrelated to Amazon, like login pages for Ionos and Netflix.

                                      A small subset of phishing PDF attachments we analyzed purport to be from Apple and used similar social engineering tactics and the same redirector domains and URL shorteners. Another phishing campaign uses an IRS-themed scam, claiming that the recipient has a tax refund that can be collected when they click the link. These campaigns also used social media redirectors, like Linkedin Smart Links and Twitter, as well as free ecommerce marketing email services to evade detection. Let’s dig a bit deeper into how attackers used these redirectors:

                                      LinkedIn Smart Links and Twitter used as redirectors

                                      The attackers on these phishing campaigns are abusing social media platforms LinkedIn and Twitter as redirectors to the phishing websites. Attackers abuse LinkedIn Smart Links, which is a feature to package and share files and websites to prospects and customers. However they were abused to redirect targets to phishing websites. Using both LinkedIn Smart Links and Twitter as redirectors can help bypass email scanners and can also provide insights about the users who click on the malicious links, which might be useful to them in their future phishing campaigns.

                                      QR Code Generator Used As a URL Shortener

                                      Another redirector service these phishing campaigns use is QR Code Generator PRO. This is a free online tool that allows users to generate QR codes to open different resources. For these campaigns, attackers only abuse the URL shortening feature, not the QR code itself. To shorten a URL using this tool, you have to create a website QR code type and input the malicious website as the resource. Once the QR code is created, instead of sharing the code, you can instead share the generated shortened URL.

                                      Abusing free ecommerce marketing email services

                                      These phishing campaigns abused e-commerce platforms’ click tracking domains to serve the redirectors that lead to the phishing sites. From the samples collected by Netskope Threat Labs, Klavio and Privy were the most commonly abused platforms. Both platforms provide free trial usage, which makes it lucrative to attackers, who often take advantage of free services. We suspect that attackers also leverage the visibility these platforms provide, using the insights to improve targeting.

                                      Conclusions

                                      These PDF phishing campaigns are targeting personal Microsoft Live Outlook accounts and are using the common social engineering technique of creating an urgent call to action. They abuse legitimate redirector domains and URL shorteners like Twitter, LinkedIn, and QR Code Generator PRO to evade detection. Phishing attacks like this can be avoided by never entering sensitive information (like passwords or banking details) after clicking on a link. Instead, you should always browse directly to the sites in question. For example, if you believe there is a billing issue with your Amazon account, login directly to amazon.com to verify.  Netskope Threat Labs will continue to track and respond to this set of phishing campaigns.

                                      Recommendations

                                      Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:

                                      • Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
                                      • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

                                      IOCs

                                      All the URLs  related to these campaigns can be found in our GitHub repository.

                                      author image
                                      Jan Michael Alcantara
                                      Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.
                                      Jan Michael Alcantara is an experienced incident responder with a background on forensics, threat hunting, and incident analysis.

                                      ¡Mantente informado!

                                      Suscríbase para recibir lo último del blog de Netskope