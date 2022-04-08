There is a new one phishing that circulates in Spain and that is very realistic. Marcos Besteiro, executive director at ACEDIS Formacion, warned on his Twitter that he had received an email saying that he “has received 3 files”, although in English. The sender of the message is WeTransfer and the mail, which is actually a trap, actually seems to have been sent through WeTransfer.

Today, an elaborate scam/phishing/data theft attempt. We received this email: pic.twitter.com/dY7j9J6gOh – Marcos Besteiro 👧🏻👶🏻 (@MarcosBL) April 8, 2022

The email mentions the recipient’s email address in the body, to give it more realism. The manager says that his colleagues are experts and that they told him that they neither expected nor had sent anything recent, and that when you mouse over the link, the URL is not that of https://wetransfer.com. So thanks to that, they didn’t fall into the trap.

How does it get to steal credentials

Investigating, a hover over the link revealed that it points to https://ipfs.io/ipfs/QmRQpbWjL8pHbQenKmoB8yzYpLeaoMyMS4gvaZKMPAbRD5?filename=flx.html#[email protected] The malicious script they have, collect that email, to know where the click comes fromremoves the user, and keeps the domain.

The script opens an iframe with that domain in full screen, so it looks like you’re on your own company’s website. And on that frame, they position a login window of theirs, so that if you click and you think you have to enter your website, capture your username and passwordas reported by the director.

Another test was also carried out, if we change our email address to [email protected] in its URL, we see how do you do the same with the telephone website. As you can see in this image:





With those credentials, attackers could then steal more information, data, and money from you. The malicious script is hosted at http://ipfs.io; IPFS is a web p2p system to share content where each member is a network node.

It is not the first time it happens

Last year, we already published a phishing case that first pretended to be WeTransfer and then Microsoft. The objective of this also elaborate attack was to steal the Office 365 access credentials of potential victims.

A theft that, if it occurs, would give attackers access to emails, documentsspreadsheets, presentations, notes, conversations and a long etcetera, depending on the tools used by the affected company.

The detected attack started with an email impersonating WeTransfer and warned us of the supposed reception of some files. The message received was similar to those sent by this platform and if too much attention was not paid to details such as the sender email, which contains a domain that has nothing to do with WeTransfer, it could be considered as good, just like the attack discovered today.