Cybercriminals are increasingly exploiting legitimate file-sharing services like GetShared to distribute malware and conduct phishing campaigns, effectively bypassing traditional email security defenses. This tactic leverages the trusted nature of notifications from recognized platforms, making malicious emails appear legitimate and increasing the likelihood of user engagement.
The Attack Methodology
The attack initiates when victims receive authentic-looking email notifications from GetShared, informing them that a file has been shared with them. These emails often carry business-related file names such as DESIGN LOGO.rar, enhancing their credibility. The notifications are meticulously crafted, incorporating GetShared’s official branding and formatting, which adds to their authenticity.
Accompanying messages typically employ classic phishing tactics, including inquiries about pricing for items supposedly included in the attachment, along with requests for delivery times and payment details. These strategies aim to create a sense of urgency and legitimacy, prompting recipients to download the shared file without suspicion.
Discovery and Analysis
Researchers at Kaspersky identified this emerging trend after analyzing suspicious notifications reported by vigilant users. Their investigation revealed that GetShared has become a popular tool among scammers seeking new platforms to exploit, especially after security enhancements in previously targeted services like Google Calendar and Dropbox.
This attack vector is particularly concerning because it effectively circumvents traditional email security measures. Most organizations implement robust filtering at the email gateway level; however, legitimate notifications from trusted services like GetShared typically pass through these defenses unimpeded.
Infection Mechanism
The infection process leverages GetShared’s file-sharing functionality as a delivery mechanism. When users click the Download button in these notifications, they are directed to GetShared’s platform, where the malicious payload awaits. In some instances, rather than delivering malware immediately, attackers distribute text files containing instructions that initiate social engineering tactics to further develop the attack. This multi-stage approach reduces the likelihood of detection by security solutions that scan for known malicious signatures.
A particularly concerning aspect is the diversification of payloads. While some campaigns distribute obvious malware executables, others employ archive files containing seemingly innocuous documents that execute malicious scripts when opened.
Broader Context
This exploitation of legitimate services is part of a broader trend where cybercriminals abuse trusted platforms to distribute malware. An analysis of over 400 malware families deployed in the past two years found that at least 25% abused legitimate internet services as part of their infrastructure. Cloud storage platforms like Pastebin, Google Drive, and Dropbox are among the most exploited, followed by messaging apps such as Telegram and Discord. This tactic allows malicious actors to blend in with normal traffic, complicating detection efforts. ([cyberscoop.com](https://cyberscoop.com/hackers-hiding-cloud-services-malware/?utm_source=openai))
For instance, Russian state-sponsored hackers have been known to use project management software like Trello and productivity services like Notion to facilitate their operations. These platforms are exploited for command and control communications, data storage, and malware delivery, demonstrating the versatility of this approach. ([cyberscoop.com](https://cyberscoop.com/hackers-hiding-cloud-services-malware/?utm_source=openai))
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should consider the following measures:
1. User Education and Awareness: Regular training sessions should be conducted to educate employees about the risks associated with unsolicited file-sharing notifications and the importance of verifying the authenticity of such emails.
2. Advanced Email Filtering: Implement email security solutions that can analyze the content and context of messages, identifying and blocking phishing attempts that exploit legitimate services.
3. Endpoint Protection: Deploy endpoint detection and response (EDR) solutions capable of identifying and mitigating malicious activities that may bypass initial email defenses.
4. Behavioral Analysis: Utilize security tools that monitor for behavioral anomalies, such as unexpected file downloads or execution of scripts, to detect potential threats that do not match known signatures.
5. Regular Software Updates: Ensure that all software and systems are up to date with the latest security patches to minimize vulnerabilities that could be exploited by attackers.
6. Incident Response Planning: Develop and regularly update incident response plans to ensure a swift and effective reaction to security breaches, minimizing potential damage.
By adopting a comprehensive and proactive approach to cybersecurity, organizations can better protect themselves against the evolving tactics of cybercriminals who exploit trusted platforms to distribute malware.
