Threat actors have long used social media content for both reconnaissance and as a data source to customize phishing attacks to enhance credibility. This example was attempting to masquerade as a Voice2eMail message. However, each message comes customized to the target organization as the inserted image in the email changes depending on the company being targeted. The attacker-generated emails pull the image from the target companies Facebook profile and insert it into the custom-branded message. This is done to try to convince the user this message originated from their own voicemail system, and this makes for a very compelling attack.

If the company did not have a Facebook presence or photo, a generic Microsoft image is inserted. To disguise the true nature of the URL, these attacks abused LinkedIn’s “slinks,” a feature that businesses can use in their LinkedIn profile for tracking marketing and ad campaign metrics. This LinkedIn service will serve as a redirect to a second destination after it is clicked by the user.

For this attack, the target was redirected to ipfse.]io (InterPlanetary File System), a popular peer-to-peer network that is a hotbed for hosting malicious phishing sites. The phishing page defaults to the obligatory Microsoft-branded credential harvesting page. 

We have observed a massive volume of phishing attacks leveraging IPFS network over the last several months. By doing this, the threat actors make it extremely difficult to conduct a takedown on decentralized nodes. Even if removed from one, the malicious content persists on others, an ideal platform to host malicious content and ensure availability. What’s more, attackers can create and host content on the IPFS network without the burden of running even a single node on their own infrastructure.