Researchers from Check Point Harmony Email have discovered a novel phishing campaign that exploits the interactive content creation platform, Genial.ly. The campaign involves cybercriminals embedding harmful links within otherwise legitimate Genial.ly email requests, making it very difficult to detect.
This method of attack represents a worrying evolution in cybercrime. Dubbed "Business Compromise 3.0" by the researchers, it co-opts reputable, free-to-use services to enact illegal activities. It builds upon the recent rise in Business Email Compromise (BEC) campaigns, which use intricate spoofing techniques to impersonate business communications. These have proven highly successful over the past year, and according to the researchers, represent a growing threat.
"Hackers love to leverage free sites to send phishing campaigns. We have seen this a lot over the last year, whether it’s popular sites like Google or PayPal, or lesser-known sites as well," Check Point says.
"If it’s free, it means there’s no bar to entry and the threat actors can try as often as they like with no downside."
The use of legitimate, free services has been a main theme of the attacks we’ve seen this year. We call it Business Compromise 3.0, the next evolution of the dangerous BEC attacks. These use legitimate sites to carry out illegitimate tasks, and it’s incredibly difficult to stop because the emails themselves are genuine.
In this attack brief, Check Point Harmony Email researchers will discuss how hackers are using Genial.ly to send out phishing links.
A typical attack following this method involves creating a document in Genial.ly, which is then linked to malicious content. The recipient of the Genial.ly-generated email is invited to click a link to the creation. The email and link both appear legitimate, but once the recipient clicks on the image in the linked site, they're redirected to a harmful page.
The simplicity and efficiency of this method are among the reasons it has become increasingly common. Hardly any coding experience is needed to execute the attack, and anyone can create an unlimited number of accounts for free. The usage of legitimate services and lack of suspicious language make these attacks difficult to identify for security solutions.
Protection measures should therefore focus on securing users even if they interact with a malicious link. Techniques can include link protection, URL rewriting, and the emulation of pages behind links to ascertain their true intent. Implementing a policy to block corporate password reuse is also advisable, as is the analysis of sites for potential phishing indicators.
The researchers also suggest utilising security measures that use AI to identify potential phishing attempts, alongside full-suite security capable of scanning documents and files, and robust URL protection to scan and emulate webpages.
These types of attacks are expected to further escalate in 2024, with cybercriminals set to exploit a diverse range of SaaS sites for their purposes. Check Point Harmony Email researchers notified Genial.ly of this retaliatory phishing campaign on December 4th.