Mimecast Logo
Get Started
Get a Quote

    Trustpilot URL Redirect Abuse


    Jul. 23, 2024

    Key Points

    • Abuse of Trustpilot and SendGrid infrastructure
    • Focused predominantly in the professional, scientific, or and technical services industries
    • The primary intent was to steal credentials of recipients most likely to sell for profit
       

    On June 17th 2024, Mimecast’s threat researchers observed a novel URL redirect phishing campaign using Trustpilot. The campaign started abruptly on the June 17th, with investigations determining that this was attributable to Trustpilot URLs, generated by Sendgrid. After review, it was assessed this appears to have been a short-duration mass-volume event seeking to redirect targeted users to a credential harvesting phishing page. The graph below highlights the activity associated with this campaign.

    Trustpilot URL Redirect Abuse-image-1.webp

    Prior to active use, the technique, along with other styling and distribution characteristics, appears to have been thoroughly tested using compromised user accounts ensuring deliverability. In between the campaign peaks, further testing and validation was observed to maintain successful delivery. The phishing emails were sent primarily through compromised Microsoft 365 and email service provider KDDI. A breakdown of the email service providers utilized is seen below.

    Trustpilot URL Redirect Abuse-image-2.webp

    Targets:

    Predominantly US focused, Multiple Sectors but significant in Professional, Scientific, and Technical Services 

    IOCs:

    Trustpilot redirects:

    • hxxps://link.trustpilot.com/ls/click?upn=u001.7TXFvnJF4GMbcQqVAhZRa8-
      2FKsqcJJrXM5PriJjesPuYjvEDhc4u61YqxKeokTY4adTcM_r0aPuFam2OijKUCcDq4d
      NJZTUPWa70WxFXUt4Msr1TPSXE1rqhpUHZ9AfnLVE6EA5EXtoQpyf-2FfWDBC
      1bYEh6lTSdqycNmiUr9TST70VnC6S62SKSCraCoxe-2FU3kuJmXhYEm3koA34a-2BKr8dbNto67EZttUffEOZA127cGFwkK7I-2BydN9Q8sxLLQwLmx3MnDCb8PeVy
      5rZSTzAzzTz901Q-3D-3D

    Click here to access the full list of Trustpilot redirects

    Redirect Hosts:

    • info.ubergeek[.]tv
    • phyditis[.]ru

    Click here to access the full list of redirect hosts

    TTPs:

    • T1586.002 - Compromise Accounts: Email Accounts
    • T1566.002 - Phishing: Spearphishing Link
    • T1583.006 - Acquire Infrastructure: Web Services
    • T1608.005 - Stage Capabilities: Link Target

    Explore Threat Intelligence Articles

    Back to Top