We see lots of phishing attempts . This one is much better done than the majority of others we see. This pretends to be an email from We Transfer which is a service used to send files to other users. Basically a file sharing service, where you upload a file & then send somebody a link to download it. When I first saw the email, I thought it was the genuine we transfer site & it was going to be a malware campaign abusing wetransfer.com. I had to look very closely to realise it was only a phishing scam.
The criminals behind the scam have made a very good effort with this one. They send the emails from a domain that can be very easily mistaken for the genuine wetransfer.com domain. The fake we transfer site looks at first glance to be the genuine site and you might easily think it is the mobile version of the genuine site. This fake site is https://downloads.m-wetransfer.com/ note the m-wetransfer.com. Lots of sites use a mobile version m.site.com. While looking quickly, it is very easy to misread or ignore the – or any . in the url and just see the wetransfer.com.
The big mistake the criminal has made is to put what looks like his own email address or an address under his control email@example.com as the mailto link where the recipients email address appears in the email body. It is entirely possible that this email address is another innocent victim and the criminal setting this up has misconfigured the automatic set up & sending to use the 1st victim’s email address as mailto: instead of each individual recipients email address.
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: We Transfer <firstname.lastname@example.org>
Date: Fri 14/12/2018 03:29
Subject: Someone sent you a file via WeTransfer
You have received a file via WeTransfer
3 Files, 20 MB in total Â· Will be deleted on 21th Dec 2018
Download your Docs here <https://email@example.com>
The fake site looks like
|126.96.36.199||slot0.wetransfer.id||Washington||District of Columbia||US||AS7489 HostUS|
Received: from slot0.wetransfer.id ([188.8.131.52]:58746) by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <firstname.lastname@example.org>) id 1gXeEN-0006BQ-AC for email@example.com; Fri, 14 Dec 2018 03:33:39 +0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=wetransfer.id; h=Content-Type:MIME-Version:Subject:To:From:Date:Message-ID; firstname.lastname@example.org; bh=Ex/UOJsgIZw0x0/wDkru3O8q/hk=; b=i4J6o4raJvSXWtZBJvy+xW1vP2UdGm8AMYHtjJQAPp4OEIqEBWgTv5HuI3DayOBgqdrWVWSDMEVb W7NpfRW6ceNwEUqocxoVgmjpRgqrD2+prNW04syHd3/sa07NttiiWCg9RV7RjsE1GZMc3kG5IR0T XNS/Aeie0C9W5gks6NA7FQJBRDFBpASjon/jrSpUTXf+25sCxkxDFbsSrtMcZ59fG9C6RZPyH0tH PNl2H1Pwbcj9ayqBjM4D/ldjBem+HrVpLCwR7y/9Cn1OWoDx9QXW5vWNx4AFEsmB4+FWD7LJfwSr hmhnCRfJc9KyoYoLLeCOmgHH8RHwML4+A6/5TQ== DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=wetransfer.id; b=txZlpxOtihDBZsLJtWsYc5QMbVkEkHPklA95d2JjRsTcobHynxGrTJy0KgfpuBhBFoaiv0078+bZ sVEgrdaMuFBS+n1qgI+E3Gh2qvlGyWSGyyOYkaonXKdy1Kt/PMOnE2NKeQLTkV4F189g9QEcAerI geNV1ciWEY1EAkbk2e2ZeK9GHa+54OMwyOWBOljp1lKuI0dqqz5rbFLBfAGnFvgYfXMdUY5LZQ76 fVpo0O2UT/Kxt93sRIZAMXNRm8HihitobgNmVKuO+wi58pJrLcEdjxlcSszxJhJReepWKklc3NPn d0oDIKfgiPrHav3z039SFvlxW5p1qm/MTEF62g==; Content-Type: multipart/alternative; boundary="===============0850196573==" MIME-Version: 1.0 Subject: Someone sent you a file via WeTransfer To: email@example.com From: "We Transfer" <firstname.lastname@example.org> Date: Fri, 14 Dec 2018 11:29:24 +0800 Message-ID: <0.0.2.29C.1D4935DCE64DE7C.email@example.com>
The Phishing site downloads.m-wetransfer.com was registered on 14 November 2018 using PublicDomainRegistry.com as registrar. It is currently hosted on 184.108.40.206 vpshosting.com.hk
However the base domain m-wetransfer.com is currently hosted on 220.127.116.11 blazingfast.io where the default hosting not yet set up properly page is showing
The email sending domain wetransfer.id was registered on 26 November 2018 and is currently hosted on 18.104.22.168 AS7489 HostUS
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments or follow the links that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.