Published on: March 21, 2020
BY GENADY VISHNEVETSKY
In the past, I’ve revealed that one evasion technique cybercriminals use to avoid being blocked by email security technologies, is using legitimate (Microsoft) websites. This week Threatpost.com shared this new interesting twist: attackers are using YouTube and redirect features to get you to click on malicious links. Redirector URLs are commonly used by legitimate organizations but are increasingly being abused by cybercriminals.
In this case, the email below appears to be from the SharePoint site.
The URL on the link reveals this path: https://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompanyname[.]sharepointonline-ert[.]pw).
If a user is not careful and clicks on this link, they will be sent to YouTube and immediately redirected to the companyname.sharepointonline-ert.pw. To no surprise, the link mentioned above leads to a malicious website, is hosted on a legitimate Google page (googleapis.com) and has a valid SSL certificate.
According to researchers, random domains with sharepointonline-xxx.pw URLs where the xxx is a random three letters are swiftly generated, registered for a campaign and are an indicator of possible bot operation. Imagine: the computer does all those elaborate steps and a human crook collects the payment. Unfortunately, this is the world we’re living in.
As mentioned earlier, the final destination for the link above was a Microsoft-like website created with the intentions of stealing credentials. Leaving no room for error, the attacker conveniently populates the victim's email on a phishing website. Not bad for a bot. No email security gateway in the world would've spotted and blocked this trick. That is why we continue to rely on you, the "human firewalls," to be vigilant.
Always remember, think before you click.