In a major security warning, researchers at Menlo Security uncovered a sophisticated phishing campaign that targets executives and high-ranking employees from several industries in the U.S. These individuals are susceptible to attacks that exploit an open redirect vulnerability on job listing website indeed.com. Notable industries affected include electronic manufacturing, banking and finance, real estate, insurance, and property management.
Exploiting Redirects and Trusted Links
The attackers cleverly utilize redirects, widely accepted as legitimate URLs that automatically take visitors to another online location, typically a third-party website. However, threat actors have manipulated these open redirects to create redirections to arbitrary locations, which they have used to direct users to a phishing web page.
Indeed's open redirect vulnerability, specifically, is reportedly abused, making the phishing attempt appear more deceptive due to the credibility of the platform. Targets of this attack receive emails that contain links from the job listing site, appearing legitimate enough to not raise any suspicion at first glance. Once accessed, these URLs lead the targeted user straight to a phishing site acting as a reverse proxy for Microsoft's login page.
Phishing-as-a-Service and Security Implications
This campaign also showcases an emerging concept – Phishing-as-a-Service. Here, EvilProxy's role comes to light as a phishing platform that uses reverse proxies to facilitate communication and relay user details between the attack victim and a genuine online service such as Microsoft. The user, while believing to access their account, unknowingly hands over their authentication cookies to the threat actors behind the phishing site. With users having completed the necessary multi-factor authentication (MFA) protocols during login, these cookies handed over to the cybercriminals allows them full access to the victim's account.
In light of previous warnings of EvilProxy campaigns from security firms such as Proofpoint, it's becoming apparent that the utilization of reverse proxy kits for phishing is growing. Combined with open redirects, this tactic not only increases the success rate of a phishing campaign but also proves that phishing attacks are growing in sophistication, warranting increased vigilance when it comes to online security.