EvilProxy phishes for executives.
By Tim Nodar, CyberWire senior staff writer
Oct 4, 2023

Open redirects from a job listing site cast a net for the C-suite.

EvilProxy phishes for executives.

Researchers at Menlo Security warn that a phishing campaign is exploiting an open-redirect vulnerability on the job listing site Indeed to distribute a link to a spoofed Microsoft login page. The campaign is targeting C-suite employees in various industries, particularly banking and financial services, insurance, property management and real estate, and manufacturing. The threat actors are using the EvilProxy phishing-as-a-service platform.

No panacea against phishing.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, warns specifically against the threat of open redirects. “Open redirects are among the most tricky tricks that social engineering hackers can deploy,” he says, and explains how open redirects are particularly dangerous. “We tell our end users to always hover over a URL and to make sure it goes to a legitimate domain before clicking on it. But with these types of open-redirects, the originating URL DOES point to a legitimate URL. Technically, the only defense is for every website and service to make sure they aren't implementing a ‘feature’ that allows malicious redirects. Education-wise, you must tell users that not only must they inspect URLs before they click them, but to re-examine the URL after they click them to see where they ended-up. With a malicious open redirect, the final destination will not be a legitimate one. So, in short, all users must check all URLs before clicking on them AND AFTER clicking on them. It's not enough just to examine before clicking.”

Dror Liwer, co-founder of cybersecurity company Coro, advocates using security measures in an integrated, organized fashion. “Cybersecurity architectures made up of many products that each focus on a specific threat or domain fail to detect and prevent cross domain attacks such as this,” Liwer wrote in emailed comments. “While MFA [multifactor authentication] should be mandatory, it’s not a silver bullet, and like every defense mechanism, it creates a false sense of security. We need to look more broadly at cybersecurity and make sure products not only co-exist, but rather cooperate and inform each other.”