July 23, 2024
This email claims that some shipping documents were sent to the recipient via WeTransfer which is a popular file sharing service. In reality the link leads the victim to a malicious website with the objective of harvesting their credentials:
The threat actor claims that the documents will expire on the 24th of July, and this is intended to create a sense of urgency in the recipient to have them click on the various malicious links.
This email impersonates WeTransfer and claims that some files were shared with the recipient. It also states that the files will be deleted on April 29th, which is odd considering today is July 18th. Regardless, this was an attempt to create a sense of urgency to prompt the recipient to open the malicious link.
Upon opening the victim is served with a credential harvesting page.
This email is claiming to be from the IT administrator that manages the victim
email services. The threat actor says that the victim credentials are expired
and the email server will log them off and create new credentials in the next
24 hours, giving the victim a sense of urgency to click the button "Manter senha atual"
so they can maintain their current credentials:
By clicking the button the victim is lured into a malicious website with the objective of stealing the users credentials.
| TYPE | IOC |
|---|---|
| URL | hxxps[://]ipfs[.]io/ipfs/QmUa3nCp4R4SqbGBFhGvW6pqoEViwFPtnhaa28EAX9thtv |
| DOMAIN | pub-25902d32074b459eb837a12ad320b79e.r2.dev |
| DOMAIN | 0i00045i0.cc |
| DOMAIN | sudsy-flannel-don.glitch.me |
Threat insights is a weekly series were we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!
