Threat actors are exploiting digital document publishing (DDP) sites hosted on platforms such as FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet to perform phishing, credential harvesting, and session token theft, once again highlighting how Threat actors are reusing legitimate services for malicious purposes.
“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, as these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and can instill a false sense of security in users who recognize them as family or legitimate,” Cisco Talos researcher Craig Jackson said last week.
While hackers have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.
DDP Services allow users to upload and share PDF files in an interactive, browser-based browsable format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.
Threat actors have been found to abuse the free tier or free trial period offered by these services to create multiple accounts and publish malicious documents.
In addition to taking advantage of the domain’s favorable reputation, attackers take advantage of the fact that DDP sites facilitate the hosting of temporary files, thus allowing published content to automatically become unavailable after a predefined expiration date and time.
Additionally, productivity features built into DDP sites like Publuu could act as a deterrent, preventing the extraction and detection of malicious links in phishing messages.
In incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain at the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.
The DDP-hosted document serves as a gateway to an external site, controlled by an adversary, either directly by clicking on a link included in the decoy file or through a series of redirects that also require CAPTCHA resolution to thwart automated analysis efforts.
The final landing page is a fake site that mimics the Microsoft 365 login page, thus allowing attackers to steal credentials or session tokens.
“DDP sites could represent a blind spot for defenders because they are unfamiliar to experienced users and are unlikely to be flagged by email and web content filtering checks,” Jackson said.
“DDP sites create advantages for threat actors looking to thwart current phishing protections. The same features and benefits that attract legitimate users to these sites can be exploited by threat actors to increase the effectiveness of a phishing attack .”