Cyberattacks never stop, and this time a new form of phishing has been detected that masquerades as WeTransfer, the platform for sending and receiving files.

It should be remembered that phishing is a social engineering strategy used by cybercriminals to steal credentials and commit fraud with them or obtain sensitive information. They usually impersonate companies by copying their logos and fonts to send emails with malicious links.

That said, it is worth noting that this time the attackers duplicated the WeTransfer emails. They send fake emails to their victims hoping that they will click on a link that supposedly leads to the file download site.

However, by clicking on the malicious link, the victims give the attackers access. Such a situation can be extremely dangerous, especially if a company’s equipment is being used.

The one who warned about this new scam was Marcos Besteiro, executive director of the training portal, ACIDS, through his Twitter account. He said that some of his co-workers received the email, which they realized was apocryphal after noticing some oddities.

First of all, to realize that it was a phishing email, they were not expecting to receive files from anyone that day. Second, they hovered over the link to see which address it pointed to. Thanks to these two signals they alerted their team.

“The malicious script they have, collects that email, to know where the click comes from, eliminates the user, and keeps the domain. In our case, it ends at http://acedis.com, which is our website”, informed Besteiro.

Put more simply, when the attacker gets a worker to click on the malicious link, their system checks where it came from. Normally, companies give their employees emails such as “[email protected]”, thus identifying that the victim was a Telefónica employee.

“Now the script opens an iframe with that domain full screen, so it looks like you’re on your own company website. And on that frame, they position a login window of theirs, so that if you click and think you have to enter your website, it captures your username and password”, he pointed out.

In other words, with the information obtained, they “duplicate” the company’s site so that the victim believes that they are really in it. When you try to log in, you enter your username and password, these are stolen by the cybercriminal.

If the person is clueless, they will not notice that the site is a copy and will enter their data. The information, being under the domain of the attackers, can be used to access the business account and carry out attacks or demand ransom money.

Besteiro explained that the malicious script is hosted on ipfs.io, which is a p2p ( Interplanetary File System ) web system for sharing content where each member is a node on the network.

How can you avoid these types of scams?

To avoid falling into fraud such as phishing, security in electronic devices and navigation must be reinforced, for example:

– Use the two-step verification system in accounts.

– Check that the URL of the websites starts with “HTTPS”.

– Be wary of incredible offers or that offer quick ways to earn money.

– Remember that legitimate websites do not request passwords or financial information through messages.

– Use a complete and reliable security solution to be protected.

– Have updated software. In this way, one makes sure that the operating system has the necessary patches or corrections to be protected against possible attacks.

– Avoid public WiFi connections, without password protection and where all traffic can be exposed. Ideally, use a reliable VPN to connect, especially if you are going to enter sensitive data on the web.