Actors Exploit Open Redirect Vulnerability to Host Phishing Pages Targeting Government Entities in Qatar

CloudSEK’s Threat Intelligence Team discovered an URL, wherein an open redirection vulnerability was exploited to direct the victim to a login page of an entity belonging to the government of Qatar.
Updated on
April 19, 2023
Published on
March 7, 2023
Subscribe to the latest industry news, threats and resources.
  • Category: Adversary Intelligence
  • Industry: Government
  • Motivation: Fraud Campaigns
  • Region: Middle East
  • Source*D - Fairly Reliable; 4 - Probably true

Executive Summary


  • A furniture selling website redirected to a phishing page targeting an entity belonging to Qatar’s government.
  • The website required the targeted victim to enter a password to the targeted entity.


  • Getting access to the credentials of the targeted email can lead to potential access and exploitation of websites, and tenders. 
  • The same email is for developers contact, implying all files hosted on the website and for NAS accounts.


  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Audit/monitor event & incident logs to identify unusual patterns/behaviors.
  • Check for emails/messages originating from spam/suspicious sources.
Phishing page used to target a government entity in Qatar

Analysis of the Phishing Page

On 14 February 2023, CloudSEK’s Threat Intelligence Team discovered an URL, wherein an open redirection vulnerability was exploited to direct the victim to a login page of an entity belonging to the government of Qatar. The login was by default set to a domain belonging to the Qatar government, indicating the target of the attack. The phishing page had a substandard design loosely trying to trick a victim into entering credentials, hosted on the website.

Open Redirect Vulnerability: 

Open redirect vulnerability arises when an URL redirects to an arbitrary unsafe website, through user input data. This helps the attackers to target more victims since they’re likely to click the links of trusted websites, unknowingly being redirected to the attacker's hosted content. 

Upon entering the credentials, the website displays an error indicating invalid credentials are entered. However, by inspecting the Network requests, a 302 POST request was made to the URL of a Californian bank where credentials were being forwarded. (For more information please refer to the Appendix)

Information from the Open Web

By analyzing the initial domain that redirected to the phishing URL, it was observed that a vulnerability in the URL can aid in redirecting to any desired domain. This exploitation was evident in multiple instances found of the domain. 

To Note:

A domain belonging to a Swiss manufacturer of floor coverings was found vulnerable to this vulnerability and was used to redirect to the Qatar government entity targeted by the attackers.

As of today, the vulnerability and the phishing page are still active. 

This was likely done to evade detection by the victims. The phishing domains starting with ipfs[.]io are known to be widely exploited by threat actors for phishing in the past. Thus, to avoid phishing alerts by search engines, threat actors made use of open redirect vulnerability. (For more information please refer to the Appendix)

About IPFS[.]IO

InterPlanetary File System (IPFS) is a protocol that enables peer-to-peer data storage and transmission through a distributed file system. Being free to host and access, attackers can access the data(content) with the correct CID, whereas IPFS enables transport encryption.  Based on the analysis from October 2022, until today while writing this report, ipfs[.]io has been used over 761 times to create phishing domains.



302 request to the Californian bank

Phishing website hosted for an entity belonging to the government of Qatar

Open redirect vulnerability being exploited to redirect to malicious websites

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations