Threat actors have exploited an open redirection vulnerability in the popular job search platform, Indeed, to launch phishing attacks targeting senior executives in the US. This alarming revelation was made by researchers from the cybersecurity firm Menlo Security. The phishing campaign primarily targeted executives in sectors such as Banking, Financial, Insurance, Property Management and Real Estate, and Manufacturing.
The phishing attacks were observed between July and August. The threat actors utilized the ‘EvilProxy’ phishing kit, which employs Reverse Proxy and Cookie Injection techniques to bypass 2FA authentication by proxyfying the victim’s session. By exploiting the vulnerability on “indeed.com”, attackers redirected victims to phishing pages that impersonated Microsoft. These fake Microsoft Online login pages, built with the EvilProxy framework, dynamically fetched content from the legitimate login site.
The phishing site functioned as a reverse proxy, directing the request to the actual website. This allowed the threat actors to intercept the legitimate server’s requests and responses, thereby stealing session cookies. These stolen cookies were then used by the attackers to log in and take control of the victims’ accounts on the genuine Microsoft Online site, effectively bypassing non-phishing resistant MFA.
Menlo Security’s report highlighted that in this specific attack, users believed they were being directed to “indeed.com” or its subdomains. However, they were redirected to phishing pages. The attackers hosted these phishing pages on nginx servers, which acted as reverse proxies.
After discovering this vulnerability, Menlo Security promptly shared its findings with Indeed. The researchers anticipate a potential surge in the usage of the ‘EvilProxy’ phishing kit, given its effectiveness in these attacks.
Source: Securityaffairs
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.