wetransfer phish

[Alex <my...@gmail.com>]

Hi,

wetransfer.com is being used to send links to PDF phishing documents.
It's otherwise a trusted service, and there's really nothing in the
body to indicate it's dangerous or any different than other legitimate
uses for the same service.

https://pastebin.com/CEuFfb7K

Of course these can be reported to wetransfer (although I don't see a
direct way in the email itself), but my users are super sensitive to
these, and we won't be around long if this continues.

Ideas on how to block these are greatly appreciated.

Re: wetransfer phish

[Leandro <le...@spfbl.net>]

>
> > I don't know how to extract mail addresses of body, using SA. But you can
> > query each mail address at our URIBL, like a hostname but using scape for
> > arroba:
> >
> > ubuntu@matrix:~$ host flinn.flexer\@runtriz.com.uribl.spfbl.net
> > flinn.flexer\@runtriz.com.uribl.spfbl.net has address 127.0.0.2
> >
> > You can report the abuse for wetransfer and for us. We can blacklist any
> > wetransfer user if any of its links have a malware.
>
> Thank you for this, but believe it or not, the user insisted that we
> not block the sender because it's apparently from a partner, and
> reportedly have fixed their account. I also think this is a problem
> with the wetransfer service, and not necessarily just the email
> account.
>

Great! Delisted then.

The objective is just blacklist it until no more malware. For you all
have a chance to know that there is a problem with this user
and that you must take caution. Just it.


>
> So I reported it to wetransfer and they responded that it was indeed
> spam and they deleted the file. I then used their same service to send
> myself the same malicious PDF and it succeeded. Terrible!
>

Re: wetransfer phish

[Alex <my...@gmail.com>]

Hi,

>> https://pastebin.com/CEuFfb7K
>>
>> Of course these can be reported to wetransfer (although I don't see a
>> direct way in the email itself), but my users are super sensitive to
>> these, and we won't be around long if this continues.
>>
>> Ideas on how to block these are greatly appreciated.
>
>
> If this service needs an authenticated user to store files there, then is
> easier block the user. The mail body says:
>
> "flinn.flexer@runtriz.com sent you some files"
>
> I don't know how to extract mail addresses of body, using SA. But you can
> query each mail address at our URIBL, like a hostname but using scape for
> arroba:
>
> ubuntu@matrix:~$ host flinn.flexer\@runtriz.com.uribl.spfbl.net
> flinn.flexer\@runtriz.com.uribl.spfbl.net has address 127.0.0.2
>
> You can report the abuse for wetransfer and for us. We can blacklist any
> wetransfer user if any of its links have a malware.

Thank you for this, but believe it or not, the user insisted that we
not block the sender because it's apparently from a partner, and
reportedly have fixed their account. I also think this is a problem
with the wetransfer service, and not necessarily just the email
account.

So I reported it to wetransfer and they responded that it was indeed
spam and they deleted the file. I then used their same service to send
myself the same malicious PDF and it succeeded. Terrible!

Re: wetransfer phish

[Leandro <le...@spfbl.net>]

2018-03-16 22:28 GMT-03:00 Alex <my...@gmail.com>:

> Hi,
>
> wetransfer.com is being used to send links to PDF phishing documents.
> It's otherwise a trusted service, and there's really nothing in the
> body to indicate it's dangerous or any different than other legitimate
> uses for the same service.
>
> https://pastebin.com/CEuFfb7K
>
> Of course these can be reported to wetransfer (although I don't see a
> direct way in the email itself), but my users are super sensitive to
> these, and we won't be around long if this continues.
>
> Ideas on how to block these are greatly appreciated.
>


If this service needs an authenticated user to store files there, then is
easier block the user. The mail body says:

"flinn.flexer@runtriz.com sent you some files"

I don't know how to extract mail addresses of body, using SA. But you can
query each mail address at our URIBL, like a hostname but using scape for
arroba:

ubuntu@matrix:~$ host flinn.flexer\@runtriz.com.uribl.spfbl.net
flinn.flexer\@runtriz.com.uribl.spfbl.net has address 127.0.0.2

You can report the abuse for wetransfer and for us. We can blacklist any
wetransfer user if any of its links have a malware.

Re: wetransfer phish

[Alex <my...@gmail.com>]

Hi,

>>>> https://pastebin.com/CEuFfb7K
>>>
>>>
>>> is this pdf sendt to virustotal.com ?
>>>
>>> does it survice clamav testing ?
>>
>>
>> It appears it's not widely recognized by virustotal scanners and not
>> currently identified by clamav. I've reported it to clamav.
>>
>> It's a phish that isn't detected as malicious until its malicious
>> payload is downloaded. What I want is a way to detect these before
>> that happens.
>>
> There's enough traits in that msg that in a META with a uri rule should make
> detectiion rather simple.

Yes, I agree, and I've added some obvious ones, but I think my real
problem with this is that it's fraud through a legitimate use of a
trusted service, apparently requires no prior authorization to use,
and there's an API that lets you script it. This means no real ability
to process it based on header rules and changes in the body are easily
subverted.

Re: wetransfer phish

[Axb <ax...@gmail.com>]

On 03/17/2018 06:34 PM, Alex wrote:
> Hi,
> 
> On Sat, Mar 17, 2018 at 12:25 AM, Benny Pedersen <me...@junc.eu> wrote:
>> Alex skrev den 2018-03-17 02:28:
>>
>>> https://pastebin.com/CEuFfb7K
>>
>> is this pdf sendt to virustotal.com ?
>>
>> does it survice clamav testing ?
> 
> It appears it's not widely recognized by virustotal scanners and not
> currently identified by clamav. I've reported it to clamav.
> 
> It's a phish that isn't detected as malicious until its malicious
> payload is downloaded. What I want is a way to detect these before
> that happens.
> 

There's enough traits in that msg that in a META with a uri rule should 
make detectiion rather simple.

Re: wetransfer phish

[Alex <my...@gmail.com>]

Hi,

On Sat, Mar 17, 2018 at 12:25 AM, Benny Pedersen <me...@junc.eu> wrote:
> Alex skrev den 2018-03-17 02:28:
>
>> https://pastebin.com/CEuFfb7K
>
> is this pdf sendt to virustotal.com ?
>
> does it survice clamav testing ?

It appears it's not widely recognized by virustotal scanners and not
currently identified by clamav. I've reported it to clamav.

It's a phish that isn't detected as malicious until its malicious
payload is downloaded. What I want is a way to detect these before
that happens.

Re: wetransfer phish

[Benny Pedersen <me...@junc.eu>]

Alex skrev den 2018-03-17 02:28:

> https://pastebin.com/CEuFfb7K

is this pdf sendt to virustotal.com ?

does it survice clamav testing ?

but i think such service thay provide is like "let me hold your pocket 
for you" :=)

never seen before in real problems