U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Phishing campaign targeted US executives exploiting a flaw in Indeed job search platform

Threat actors exploited an open redirection vulnerability in the job search platform Indeed to carry out phishing attacks. Researchers from the cybersecurity firm Menlo Security reported that threat actors exploited an open redirection vulnerability in the job search platform Indeed in phishing attacks. The phishing attacks were aimed at senior executives across various industries, primarily […]

indeed phishing

Threat actors exploited an open redirection vulnerability in the job search platform Indeed to carry out phishing attacks.

Researchers from the cybersecurity firm Menlo Security reported that threat actors exploited an open redirection vulnerability in the job search platform Indeed in phishing attacks.

The phishing attacks were aimed at senior executives across various industries, primarily in Banking, Financial, Insurance, Property Management and Real Estate, and Manufacturing sectors.

The campaign was observed between July and August, threat actors used the phishing kit ‘EvilProxy.’ EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session.

The attackers exploited the open redirection vulnerability on “indeed.com” to redirect victims to phishing pages impersonating Microsoft.

The fake Microsoft Online login page is deployed with the EvilProxy framework fetching all the content dynamically from the legitimate login site.

indeed phishing

The phishing site acts as a reverse proxy, proxying the request to the actual website. Thereat actors are able to intercept the legitimate server’s requests & responses and steal the session cookies. Then the cookies are used by the attackers to login to take over the victims’ account on the legitimate Microsoft Online site, bypassing non-phishing resistant MFA.

“In this specific attack, the user clicks on a URL believing that they are being directed to indeed.com or another of its subdomains. The subdomain ‘t.indeed.com’ is supplied with parameters to redirect the client to another target (example.com) as shown in the example below.” states the report from Menlo Security. “The parameters in the URL that follow the “?” are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.”

The attackers used the subdomain ‘lmo.’ and hosted the phishing pages on nginx servers that were used as reverse proxies.

“The phishing pages were found to be hosted on nginx servers capable of acting as a reverse proxy. The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site.” continues the report. “This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.”

Menlo Security shared its findings with Indeed, the researchers conclude that there is a high probability that we can see a surge in the usage of ‘EvilProxy.’

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)