The hackers used Nespresso’s open redirect system to hide their phishing campaign.
The Web and cyberpiracy now go hand in hand. In figures, 75% of the attacks blocked by Avast in 2023 were due to phishing campaigns. These attacks, numbering 10 billion, represent 49% more than in 2022.
Among this myriad, a small core of hackers slipped into a seemingly minor flaw, open redirection. The innocent victim is Nespresso, which unknowingly or willingly redirects its users to a corrupted clone of its online capsule sales store.
Open redirection, a gateway for hackers for their phishing campaigns
On the web, redirects are essential. They guide the browser to automatically access another site or URL. They are omnipresent and are used, for example, to redirect from an insecure HTTP site to its more secure HTTPS version. When designed correctly, these redirects are triggered by the web application and can be controlled or secured by site managers.
We speak of open redirection when the destination URL can be set from outside the application or modified by information provided by the user. At first glance, this operation is not necessarily problematic, but it can be subverted quite easily.
This is where the problem lies and this is exactly what the Nespresso site is guilty of despite itself. Researchers at Perception Point, a company that provides cybersecurity solutions, discovered that hackers took advantage of this open redirection to create redirects to external URLs without proper validation or cleanup. And of course, this redirection, neither seen nor known to users, leads them straight to a fake Nespresso site. But this is only the final stage of the phishing campaign. Because to arrive at this compromised Nespresso site, the victims first received a disguised email (which escaped the spam filters of their messaging service) from Microsoft, whose brand was also usurped. This email advises the user to check their connection information by clicking on a link which redirects them first to the fake Nespresso site, then to a fake Microsoft connection page. The two-step trap closes.
Fraudulent sites, emails and phishing: how to spot them and avoid falling into the trap?
Clubic recommends that you exercise the greatest caution when deciding to make your online purchases. First of all, always check the reliability of the website: avoid sites with a dubious reputation. Before purchasing, you can also check the legal notices, the site address and search online for possible scam reports associated with the site name. Also make sure that the site is secure (URL starting with https:// and with a closed padlock).
And above all, be vigilant against phishing attacks: be wary of newsletters and incentive emails. Some may seek to extort your personal or banking details.
Phishing attempts also hide in fraudulent emails which can sometimes escape spam filters and end up in your main mailbox. It is therefore essential to know how to identify them.
First, the sender: an unknown email address, containing spelling mistakes or strange characters, should alert you. Compare it with other emails received from the same person or organization. If it is different, be careful.
Next, pay attention to the date and time of sending. An email received at an unusual time, especially at night, from an organization that is not normally active at that time, should raise suspicion. The content of the email can also be revealing: fraudulent emails often contain spelling mistakes, an unrealistic or insistent tone, and play on emotions. Be wary of alarmist messages or messages that urge you to act urgently.
Finally, never click on attachments or hyperlinks from unknown emails. They may contain malware that is dangerous for your device. Hover over the links without clicking to check the redirect URL. If an email asks you for personal or banking information, encourages you to click on a link or attachment, or broaches an alarming subject with an urgent request, it is probably a phishing attempt. Stay vigilant about emails you receive, even if they appear to come from a known source.
Source : Techspective, Perception Point
0