What is Phishing?
Phishing is one of the most common techniques for internet fraud. This method of attack is designed to obtain sensitive information from users, usually through a fake website or email.
Phishing attacks are carried out using fake emails or websites that appear to be sent to users by an official or familiar-looking organization or person. These fake emails or websites ask users to provide personal information (e.g. usernames, passwords, credit card details, etc.) or to click on a link or open a file attachment that is used to access more information.
Phishing attacks are often designed to trigger anxiety or emotional responses from the targeted individuals. For example, a fake bank email may contain an alarming message that their account has been hacked or that their account details need to be updated. Such messages can encourage users to panic and rush to provide the desired response.
What is Open Redirect Vulnerability?
The Open Redirect is a vulnerability that can affect web applications. This vulnerability allows attackers to redirect users to malicious websites. The vulnerability is caused by a parameter in a web application not being validated. If it is exploited, it could result in users’ information being stolen or malware being downloaded.
Impact of Open Redirect Vulnerability on Phishing Attacks
To increase the possibility of victims clicking on links, some threat actors may use the open redirect vulnerability in trusted/recognized websites to provide redirects to their malicious website and increase the rate at which victims click on the link.
Using the Proxy Method in Phishing Attacks!
A proxy phishing is a method of attack that aims to make you visit a malicious link through trusted/reputable websites.
Threat actors continue to look for ways to bypass advanced cybersecurity products and hardened systems. Cyberthint analysts have recently observed the use of proxies by threat actors to evade security products and make phishing attacks harder to detect.
For phishing attacks based on this proxy method, it is most commonly done by abusing the open redirect feature of services such as Google Translate and Bing. In addition, an open redirect vulnerability detected on a target company’s website is also used to conduct phishing attacks that are highly credible and focused on circumventing email security products and systems.
Below are some examples of proxy phishing attacks detected on Cyberthint email honeypot systems.
Case 1 – Google Translate
The incoming email appears to be a SharePoint share. When the “View Document” link was analyzed, it was found that the threat actor used Google Translate‘s “Websites” translation feature to disguise the malicious website. The opened phishing page:
Case 2 – Bing
The threat actor sends an email with the subject line “Mailbox Deactivation Detected“, which appears to be sent by Microsoft, in order to panic its targets into clicking the “Cancel Request” button. A preview of the link in the email shows that it points to bing.com.
When the link is opened, it redirects us to bing.com and Bing redirects us to a phishing page.
P.S.
In addition, “lnkd.in”, “bit.ly”, “goo.gl” can also be used, except for Google Translate and Bing.
Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover over URLs to ensure the destination is legitimate
- Be sure to pay attention to grammar, spelling and factual inconsistencies within an email
- If ever unsure about an email, ask the original sender
- On the SIEM product in use, it would be useful to write an alarm rule that includes links to web services that can be abused as proxies (e.g. “translate.goog”) and regularly check the logs that are caught by the rule.
