The NJCCIC received reports of a phishing scam sent to New Jersey State employees, abusing the legitimate and trusted Google AppSheet, a no-code application development platform for mobile, tablet, and web applications. In this phishing scam, threat actors impersonate a legitimate global law firm that appears in the sender’s display name and the body of the email, and the sender’s email address displays the legitimate noreply@appsheet.com email address to evade detection. The email claims to be an intellectual property rights violation notification and identifies a Facebook page in serious violation.

The email also contains urgent language and a link claiming to have documented evidence and comprehensive details of the infringement. The threat actors convince their target to click the “Download Evidence” button. If clicked, the target is directed to a webpage with a .su domain, which is considered malicious and associated with SmokeLoader malware. The webpage redirects to a .be domain to download an “Internal Briefing on Content Distribution Rules.zip” file. The extracted zip file contains a Microsoft Word document that, if opened, runs a script and utilizes CertUtil to decode the payload.

Recommendations

• Exercise caution with communications from known senders or legitimate platforms.
• Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
• Type official website URLs into browsers manually and only submit sensitive information on official websites.
• Keep systems and browsers up to date.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.