A KnowBe4 Threat Lab publication
Authors: Daniel Netto, Jeewan Singh Jalal, Anand Bodke, and Martin Kraemer
Executive Summary
Attackers exploit redirects that lack safeguarding mechanisms to borrow the domain reputation of the redirect service, obfuscate the actual destination and exploit trust in known sources.
Whitelisting URLs, only allowing a predefined set of URLs to be rewritten, is an effective countermeasures against the vulnerability on the server side. However, not every web service implements that countermeasure.
KnowBe4 Threat Lab recently observed a campaign that exploited this vulnerability, luring users into clicking malicious links, opening attachments or delivering JavaScript payloads. The campaign is a timely reminder that technical defenses alone are not enough to protect an organization. Employee participation in spotting and reporting fraudulent or malicious activity is key.
Attackers continuously develop new tactics, techniques and procedures to bypass email security solutions and penetrate employee inboxes. Well-guarded organizations leverage open-source, machine and human intelligence to improve the security of their email gateways. Cyber resilient organizations also train their users to resist social engineering attacks by spotting red flags and by exercising emotional intelligence and critical thinking.
Background
Hiding malicious URLs behind redirects also allows attackers to evade URL rewriting services which often are part of secure email gateways (SEG). URL rewriting checks URLs against a database of known malicious URLs. Since the actual destination can be obfuscated by the URL redirect, fraudulent links land in people’s inboxes. While dynamic URL analysis at the point of click exists, not everyone might be using it.
People are also notoriously bad at reading URLs, strongly biased towards the name appearing in the URL. It is hard for individuals to tell the fake website apart from the original by looking at the URL only. Besides, people are not necessarily paying attention to the URL in the first place. This reality is a strong motivator for employee training. People must be made aware of what URL rewriting is, how it is exploited and why attackers are using the approach increasingly.
In Numbers
A sophisticated phishing campaign has recently come to light, primarily targeting organizations in the finance and healthcare sectors. The campaign, observed from October 2nd to 3rd, 2024, has raised concerns about the evolving tactics used by cybercriminals to compromise sensitive information.
Campaign Overview
- Duration: Oct. 2-3, 2024
- Total Reported Emails: 173
- Primary Targets: Finance and healthcare sectors
- Geographic Focus: United States (90% of cases)
Key Findings
The campaign employed a variety of payload types, with the critical technique being the exploitation of open redirect vulnerability (CWE-601). This vulnerability was used to lure users into clicking on malicious phishing links. Here's a breakdown of the observed payload delivery methods:
-
HTML Attachments: The most common method, with 27 instances of HTML attachments redirecting to phishing landing pages
-
PDF Files with QR Codes: Four instances were reported where PDF files containing QR codes were used to direct victims to malicious sites
-
Abuse of Legitimate URLs: In four cases, attackers manipulated legitimate URLs to deceive targets
-
Hidden JavaScript: Some emails contained hidden JavaScript within the email body, making detection more challenging
-
Fake Microsoft Teams Notifications: Attackers imitated MS Teams notifications to exploit users' trust in familiar platforms
Technical Details
URL rewriting was designed as an email security feature to protect users from malicious links embedded in emails. At its core, the feature replaces original URLs with modified links to redirect requests to the vendor’s servers first. The link is scanned for threats and if considered safe, the user is redirected to the content. If not, the request is blocked. However, this feature is now regularly exploited by attackers to hide malicious links (see Figure 1b).
Figure 1b: Hyperlink observed for the “View Here"
Key Campaign Characteristics
The campaign started on Oct. 2, 2024, around 11:30 p.m. UTC, and the emails sent to various organizations had the following characteristics:
- From: info@transactional.beckermedia.net
- From name: The display names were different for most of the reported emails.
- Email body: Each organization received unique email templates all containing an initial URL that used open redirect vulnerability (CWE-601) to redirect users to the final phishing landing page.
- Subject: Subjects were also unique to each organization and its sender.
- The techniques the attacker used in the emails were the exploitation of open redirects via legitimate web services and the compromise of trusted domains of legitimate businesses.
- As per CWE, CWE-601: URL Redirection to Untrusted Site ('Open Redirect') is the weakness the attacker exploited. This happens commonly because the web service developer has not properly validated the input that was supplied.
Tactics
Threat actors prefer compromising legitimate businesses for their campaigns due to:
- Established domain reputation and age
- Hesitation to block legitimate domains, avoiding business disruption
- Ability to bypass security scanners relying on domain reputation
- Complicating investigations by obscuring the attack's origin
- Good reputation and whitelisting across a majority of security vendors
- Ability to bypass email security gateways until reported
- Quick account creation with minimal verification
- Higher click rates compared to attacker-owned infrastructure
- Anonymity, as investigations often stop at these legitimate services
Recommendations
This campaign demonstrates the ongoing evolution of phishing tactics, combining various techniques to increase the chances of success. Organizations, especially those in the finance and healthcare sectors, should consider the following recommendations, with a critical focus on managing human risk:
-
Prioritize human risk management:
-
Implement comprehensive and ongoing security awareness training programs
-
Conduct regular phishing simulations to test and improve employee vigilance
-
Encourage a culture of security where employees feel comfortable reporting suspicious activities
-
-
Enhance email filtering systems to detect and quarantine suspicious attachments and links
-
Implement multifactor authentication across all systems
-
Regularly update and patch systems to address vulnerabilities like open redirect
-
Be cautious of unexpected notifications, even from seemingly legitimate sources like Microsoft Teams
-
Establish clear protocols for verifying unexpected requests, especially those involving financial transactions or sensitive information
-
Maintain open lines of communication between IT security teams and employees to quickly disseminate information about new threats
Educating and training your workforce stands out as the most critical defense against sophisticated phishing attempts. While technical solutions are crucial, an alert and well-informed workforce can significantly reduce the risk of successful attacks. Regular training, combined with real-world simulations, empowers your workforce to make smart security decisions every day.
About the Threat Lab
KnowBe4 Threat Labs specializes in researching and mitigating email threats and phishing attacks, utilizing a combination of expert analysis and crowdsourced intelligence. The team of seasoned cybersecurity professionals investigates the latest phishing techniques and develops strategies to preemptively combat these threats.
By harnessing insights from a global network of participating customers, KnowBe4 Threat Labs delivers comprehensive recommendations and timely updates, empowering organizations to protect against and respond to sophisticated email-based attacks. The Threat Labs are KnowBe4’s commitment to innovation and expertise, ensuring robust defenses against the ever-evolving landscape of cyber threats.
Here's how it's done:
