🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
On 14 February 2023, CloudSEK’s Threat Intelligence Team discovered an URL, wherein an open redirection vulnerability was exploited to direct the victim to a login page of an entity belonging to the government of Qatar. The login was by default set to a domain belonging to the Qatar government, indicating the target of the attack. The phishing page had a substandard design loosely trying to trick a victim into entering credentials, hosted on the website.
Open Redirect Vulnerability:
Open redirect vulnerability arises when an URL redirects to an arbitrary unsafe website, through user input data. This helps the attackers to target more victims since they’re likely to click the links of trusted websites, unknowingly being redirected to the attacker's hosted content.
Upon entering the credentials, the website displays an error indicating invalid credentials are entered. However, by inspecting the Network requests, a 302 POST request was made to the URL of a Californian bank where credentials were being forwarded. (For more information please refer to the Appendix)
By analyzing the initial domain that redirected to the phishing URL, it was observed that a vulnerability in the URL can aid in redirecting to any desired domain. This exploitation was evident in multiple instances found of the domain.
To Note:
A domain belonging to a Swiss manufacturer of floor coverings was found vulnerable to this vulnerability and was used to redirect to the Qatar government entity targeted by the attackers.
As of today, the vulnerability and the phishing page are still active.
This was likely done to evade detection by the victims. The phishing domains starting with ipfs[.]io are known to be widely exploited by threat actors for phishing in the past. Thus, to avoid phishing alerts by search engines, threat actors made use of open redirect vulnerability. (For more information please refer to the Appendix)
InterPlanetary File System (IPFS) is a protocol that enables peer-to-peer data storage and transmission through a distributed file system. Being free to host and access, attackers can access the data(content) with the correct CID, whereas IPFS enables transport encryption. Based on the analysis from October 2022, until today while writing this report, ipfs[.]io has been used over 761 times to create phishing domains.