The phishing attacks have begun to take advantage of Basecamp while trying malware distribution and theft of credentials.
Basecamp is an online project management solution that allows people to collaborate, talk to each other, create documents and share files.
For file sharing, the users can create one public link which allows people outside the organization to preview the file and download it.
If users click on this link, they will be taken to a page that previews the file. There is also a link that allows you to download the file to computer.
With Basecamp, users can distribute any type of file.
Basecamp is used for distribution malware executable
Security researchers have found that Criminals of cyberspace distribute executable BazarLoader, using Basecamp public download links.
BazarLoader is one backdoor Trojan, developed by the TrickBot gang and targeting large organizations. Once installed, BazarLoader will develop Cobalt Strike beacons that allow crooks to obtain access the network of organizations and develop Ryuk ransomware.
Misuse of secure services, such as Basecamp, for hosting malicious files and phishing pages is common. Users feel one safety, seeing a legitimate service. Therefore, they are easy to deceive.
In addition, according to researchers, the use of Basecamp URLs allows the creation carefully designed and targeted campaigns. The users they believe that the file they receive comes from their Basecamp project and thus give the criminal access to the network.
The Basecamp is used in phishing campaigns
Because Basecamp is legal, it is also considered reliable bypass security solutions.
"This technique is effective because Basecamp and Google Cloud hosting are often used for business operations and are considered secure solutions by most tracking systems. Cloud platforms also maintain the anonymity of their users and can be set up quickly. It is difficult for SOC analysts to identify them as a threat because traffic to and from these services seems legitimate", Thomas explains in his report.
Recently, Thomas discovered a phishing campaign that used a Basecamp document to redirect users to a phishing page in Office 365. There the user must enter their credentials.
In addition, according to Bleepingcomputer, The hackers use Basecamp because they can edit any intermediate pages (those that redirect users to phishing sites). If there is a problem with a particular phishing page, the hackers they can simply log in to Basecamp and modify the intermediate page to redirect the user to a different phishing page. This way, hackers can continue attacks even if researchers manage to remove a phishing page.