ClickFunnels is an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses.
Hackers, however, are using it to bypass security services.
Because ClickFunnels offers the ability to easily create web pages, hackers are taking advantage of that to create pages with malicious links.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how threat actors are using a legitimate service for bad purposes.
In this attack, hackers are creating malicious pages in ClickFunnels, redirecting users to malicious links.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Social Engineering, Impersonation
- Target: Any end-user
Email Example #1
This email is in Italian. Here’s the rough translation.
I sent you a file to review
Link: Document Review
When the user clicks on “Document Review” they are redirected to the following page:
When the user clicks on “Get Document”, they are redirected to a malicious PDF download, which would introduce a malicious credential harvesting document.
We talk constantly about “The Static Expressway.” This is the practice of leveraging legitimate sites to host and send malicious pages.
Essentially, it’s a way of hiding malicious intent in something legitimate.
When a hacker sees this on VirusTotal, they’ll be quite happy:
That’s because security engines have deemed ClickFunnels as safe. And it is! But it doesn’t preclude the fact from hackers using it to host malicious downloads on these pages.
We’ve seen this time and time again. Whether it’s using AWS, Microsoft Voice or Facebook, this is a powerful way to get into the inbox. It utilizes the fact that security services can’t outright ban popular sites. Hackers then hop on the back of these to get into the inbox and scam users.
It requires looking at the whole of the attack to understand what exactly is going on.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Check URLs in email and in browser before proceeding
- Ask sender if they intended to use this site to send documents