A phishing campaign exploiting a bug in Nespresso’s website has managed to evade detection by taking advantage of security tools that fail to look for nested or hidden malicious links.
The campaign begins with a phishing emails which appears to have been sent by a Bank of America employee, with a message “please check your recent [Microsoft] login activity.” If a target clicks, they are taken to a legitimate but infected URL controlled by Nespresso, according to research today from Perception Point.
Since the address is legitimate, the compromised Nespresso site does not trigger any security warnings relationship explained. The Nespresso URL then delivers a malicious .html file modified to look like a Microsoft login page, intended to capture the victim’s credentials, the Perception Point team added.
The attackers are exploiting an open redirect vulnerability in the coffee giant’s webpage, the researchers explained: “Open redirect vulnerabilities occur when an attacker manages to redirect users to an untrusted external URL through a trusted domain. This is possible when a website or URL allows you to control data from an external source.”
Attackers know that some security vendors “only inspect the initial link, without digging further to uncover any hidden or embedded links,” they added. “With this knowledge, it makes sense for the attacker to host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors, only detecting the trusted URL and not subsequent malicious ones.”
This particular campaign was launched from several sender domains, but consistently uses the infected Nespresso URL and fake Bank of America email in the cyber attacks, the report adds. Neither Perception Point nor Nespresso immediately responded to a request for comment on the fix for the open-direct vulnerability.