Citrix ShareFile email

Jon Light · Post by **Jon Light** » 4 Dec 2018 5:47 am

I received an email notification that I needed to change/update my password. I've googled this and apparently it is a thing. Seems legit. Trouble is, I have never heard of Sharefile and have never knowingly used it.
Hovering over the link, I see:

https://secure.sharefile.c*m/login#ForgotPassword
(I inserted an error so that it is not a hot link)

A search of my system shows no such program installed. But it is an available free download from the Microsoft store.

The combination of legit company and apparently real notifications going out about new logins combined with other patterns indicating opportunistic scam has me confused.

I'm doing nothing, not clicking on the link or anything. The only concern is that this is some sort of background program that my Win10 computer uses everyday; email/cloud thing or something.

Anyone have some insight?

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Dec 2018 9:42 am

Feel free to forward the original email to me "as an attachment." If you want to do this, send me a PM and I will provide an email address for you to sent it to.

Emails forwarded as attachments maintain all of the original headers that are needed to determine both the source and legitimacy of a sender. I used this system to develop the Nigerian Blocklist that is still protecting this forum from Nigerian 419 scammers to this very day.

Note, that normally forwarded emails do not have the original headers and are mostly useless for reporting and tracing purposes. All I have to work with in those are URLs used in the body or names of possibly hostile attached files.

Jon Light · Post by **Jon Light** » 4 Dec 2018 11:29 am

Thanks for the response. It's too complicated to explain the problems I'm having right now but I seem to have deleted it via my phone (I've got a lot of sync confusion between phone, desktop and gmail) and even though it's sitting in a trash folder in the phone, it refuses to be restored or forwarded to another of my accounts. So I'm just going to walk away from this and say forget it. But thanks.

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Dec 2018 5:10 pm

Jon Light wrote:Thanks for the response. It's too complicated to explain the problems I'm having right now but I seem to have deleted it via my phone (I've got a lot of sync confusion between phone, desktop and gmail) and even though it's sitting in a trash folder in the phone, it refuses to be restored or forwarded to another of my accounts. So I'm just going to walk away from this and say forget it. But thanks.

In some instances, with Gmail's web interface, it's possible to display the "original message," complete with the incoming headers. It is a drop down option on the right side when you are viewing a message in your browser. I know it works in the spam folder and will test the Trash folder is a few parsecs.

Okay, Show Original l is available for messages in the Gmail Trash folder. I'm guessing that the option is in all folders once you click on an email to open it in Gmail. The option is found in the drop down options under the three vertical dots on the right side.

Jon Light · Post by **Jon Light** » 4 Dec 2018 5:17 pm

Sure enough. Yes, I've got the original, headers & all. I just sent you a PM.

Jon Light · Post by **Jon Light** » 5 Dec 2018 7:59 am

Thanks for the help, Wiz.
You have found that this is legit. I am still puzzled by the fact that not only is this app not on my new computer (to which I've only installed selected programs rather than an Acronis image transfer of lots of junk from the old), I just checked and it is not on my previous one either. Could be from an even older rig. Maybe I had to register to receive someone's tracks. Anyway, it's not a phish. Good to know.
Thanks.

Wiz Feinberg · Post by **Wiz Feinberg** » 5 Dec 2018 10:28 am

This is a good time to pass along the notice from Citrix and Sharefile that there is a forced password reset campaign in progress. This is a countermeasure in light of some high visibility thefts of username/password combinations from other major websites to attempt to log into accounts of Citrix Sharefile customers who may have reused the same credentials. This is known as a credential stuffing attack.

If you use Citrix Sharefile, you will need to reset and choose a new password to continue to use the service. If you previously used Sharefile and you still have the same email address that was registered there, you too will receive an email from Citrix telling you about this issue.

I do urge caution whenever a password reset email is received. Oftentimes, scammers use a similar tactic to phish credentials from unsuspecting people. This one was legit, but scammers may pick up on it and try to scam you. The only safe way to know where a hyperlink is pointing to is by reading the source code.