Phishing Campaign Exploits Open Redirection Vulnerability In ‘Indeed.com’

By Brett Raybould, EMEA Solutions Architect, Menlo Security 

Phishing remains one of the most prevalent challenges facing organisations, with more than three billion malicious emails estimated to be sent around the world every day.

No-one is immune to the threat of phishing. From aeronautics firms, major banks, and pharmaceutical companies to household brands like Facebook, Google and Sony Pictures, enterprises of all shapes and sizes have fallen victim to the world’s most common cyber threat in recent years. In fact, owing to the prevalence of the problem, Verizon’s 2023 Data Breach Investigations Report estimates that more than a third (36%) of all data breaches involve phishing.

Of course, it’s not just the sheer volume of attacks that is worrying. Concerns are more likely to focus on the heightening complexity of techniques that attackers are using. Phishing attacks are becoming alarmingly sophisticated.

From in-depth research of individuals and their interpersonal relations to the use of incredibly convincing spoofed social media profiles, threat actors are pulling out all the stops as they attempt to trick unsuspecting victims into clicking malicious links. We have heard recent accounts of cybercriminals dropping malicious links into zoom calls, while others are actively exploring the use of deepfake technologies, for example.

As a result, it is becoming harder and harder to discern attacks from genuine digital interactions, as has been demonstrated in another recent phishing campaign uncovered by the Menlo Labs team.

Analysing the Indeed. com attack chain

In July 2023, Menlo Security’s HEAT Shield detected and blocked a novel phishing attack that attempted to redirect unsuspecting users of the popular job listing site ‘Indeed.com’ to a phishing page impersonating Microsoft.

The attack chain began with victims receiving a phishing email that was delivered via a link that had been deceptively crafted to make the victim believe it had come from Indeed.com. Victims would then click on a link which would redirect them to a fake Microsoft Online login page where they were asked to enter their credentials.

The tactic that this campaign tapped into is known as open redirection, where an application either intentionally or unintentionally redirects users to an untrusted external domain. In this sense, threat actors were exploiting the highly trusted nature of ‘Indeed.com’ while redirecting targeted victims to a phishing site.

Critically, the spoofed page was deployed using a sophisticated phishing kit known as EvilProxy that can fetch content dynamically, doing so from the legitimate login site. The phishing site then acts as a reverse proxy, proxying the request to the actual website and enabling the attacker to intercept the legitimate server’s requests and responses.

With EvilProxy, the attacker is also able to steal session cookies, which can then be used to log in to the legitimate Microsoft Online site, impersonating the victims and bypassing non-phishing resistant multi-factor authentication (MFA) policies.

Combatting modern phishing threats

This attack chain is a prime example of an Adversary In The Middle (AiTM) phishing attack, harvesting session cookies to enable threat actors to bypass MFA protections.

In this instance, the Menlo Labs team saw that the threat actors largely focused on targeting executives in senior level roles across industries, such as banking and financial services, insurance providers, property management and real estate, and manufacturing. However, given that similar AiTM threats could be used to attack any business, organisations of all kinds need to check they are comprehensively protected.

Of course, awareness and training are the first port of call when combating phishing attacks – something that many organisations already know about and implement. According to one study, 84% of respondents conduct regular training to help staff understand phishing and reduce victimisation rates.

However, with threat actors becoming increasingly smart with their campaigns, it is important that firms go a step further, embracing a variety of policies, tools and technologies to develop multi-layered security strategies capable of bolstering defences against modern threats.

Here, we recommend technologies like HEAT Shield that can help protect users from credential harvesting and account compromise. Not only can it cut off the attack vector from the initial access stage, but also it can redefine the way in which security is implemented, enforcing a proactive approach to deal with such highly evasive threats.

In the case of the Indeed.com attack, the technology successfully detected the phishing site using AI-based detection models to analyse the rendered web page prior to any URL reputation service and other security vendor flagging the page as malicious. During this process, it also generates zero-hour phishing detection alerts, providing greater visibility and context of threats to security and SOC analysts.

The Indeed.com campaign is just one reminder among many of the importance of constantly evolving and enhancing security strategies to stay one step ahead of increasingly sophisticated threat techniques.

About the Author

Brett Raybould – EMEA Solutions Architect, Menlo Security. Brett is passionate about security and providing solutions to organisations looking to protect their most critical assets. Having worked for over 15 years for various tier 1 vendors who specialise in detection of inbound threats across web and email as well as data loss prevention, Brett joined Menlo Security in 2016 and discovered how isolation provides a new approach to solving the problems that detection-based systems continue to struggle with.