Phishing Attack Chain Report - Fiverr

Phishing Attack Chain Report

Incident Overview: I recently encountered a phishing attempt within my Fiverr inbox. The attacker used a GIF image to bypass Fiverr’s security measures and avoid detection. The GIF contained a QR code that, when scanned, directed me to a phishing page.

Phishing URL:
Initial URL: https://fiverr.offer984732.cfd/7ky7njr1pzz7970t

Attack Chain:

1. Initial Contact:

   • The phishing attempt began with a message in my Fiverr inbox containing a GIF image.
   • The GIF displayed a QR code instead of a direct link, likely to circumvent Fiverr’s security mechanisms.

2. Phishing Page:

   • Scanning the QR code redirected me to a phishing website disguised to resemble Fiverr’s official payment page.
   • The page prompted me to “receive payment” from a client by adding my credit card details.
   • Notably, right-clicking and other browser functions, such as saving the page, were disabled to prevent analysis or inspection.

3. Redirection to Payment Form:

   • Upon attempting to “receive funds,” I was redirected to another URL: https://fiverr.offer984732.cfd/merchant/order/7ky7njr1pzz7970t
   • This page requested full credit card details under the guise of processing the payment.

4. Transaction Failure:

   • After entering test card details, the page displayed a “transaction failed” message.
   • This indicates the phishing attempt’s goal was purely to collect financial information rather than process any real transaction.

Observations and Indicators of Compromise (IoCs):

• The URL contains suspicious subdomains and random alphanumeric paths.
• The use of QR codes in phishing attempts to avoid link detection.
• Browser functions such as right-clicking being disabled, which is a common phishing tactic.
• Fake payment processing followed by a transaction failure message.

Recommendations:

1. Avoid Scanning Unknown QR Codes:
   • Do not scan QR codes from unknown or unverified sources, especially in online freelance platforms.
2. Verify URLs Carefully:
   • Always cross-check URLs and avoid interacting with unfamiliar domains.
3. Enable Security Features:
   • Use browser extensions and security tools to identify phishing sites.
4. Report the Incident:
   • Report such incidents to Fiverr’s support team and relevant cybersecurity authorities.
5. Monitor Financial Accounts:
   • If any sensitive information was entered, monitor bank statements and enable fraud alerts.

Conclusion: This phishing attempt leveraged an innovative technique by embedding a QR code in a GIF to bypass detection and used social engineering to prompt credit card submission. Users should remain vigilant and report suspicious activity to prevent potential financial loss.