Skip to content Skip to footer

Threat Actors Exploit Digital Document Publishing Sites for Phishing and Credential Theft

Threat actors increasingly exploit digital document publishing (DDP) sites for attacks, credential harvesting, and session token theft. Attackers misused popular DDP sites such as FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet to evade email security controls and gain unauthorized access to sensitive information.

According to Cisco Talos researcher Craig Jackson, hosting lures on DDP sites significantly increases the chances of a successful attack. These sites have a good reputation and are unlikely to be blocked by filters, making them a prime target for attackers. Moreover, users may have a false sense of security while accessing these sites, as they are familiar with and trust them.

In the past, attackers have used popular cloud-based services like Drive and OneDrive to host documents. However, using DDP sites is a new trend aimed at bypassing email security controls. DDP services allow users to upload and share PDF files in an interactive flipbook format, making them more visually appealing. Attackers use these services' free tier or trial period to create multiple accounts and publish malicious documents.

DDP sites have features that can prevent extracting and detecting malicious links in emails. For example, Publuu has productivity features that can thwart automated analysis efforts. Attackers also benefit from the fact that these sites allow transient file hosting. This means the published content becomes unavailable after a set time, making it difficult for security controls to detect and block the malicious content.

In the attacks analyzed by Cisco Talos, DDP sites are used in the secondary or intermediate stage of the attack. This involves embedding a link to a document hosted on a legitimate DDP site in a email. The document serves as a gateway to an external site controlled by the attackers, where they can steal credentials or session tokens.

DDP sites are a blind spot for defenders as they are unfamiliar to trained users and are unlikely to be flagged by email and content filtering controls. This gives threat actors an advantage in evading contemporary protections.

In conclusion, DDP sites provide a new avenue for threat actors to carry out attacks. While their features and benefits make them attractive to legitimate users, attackers can also abuse them to increase the effectiveness of their attacks. It is crucial for individuals and organizations to remain vigilant while accessing DDP sites and to be aware of the risks associated with them.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.