Summary: A phishing campaign targeting Nespresso’s website has been able to evade detection by using malicious nested or hidden links, taking advantage of security tools that fail to detect them.
Threat Actor: Unknown | Unknown
Victim: Nespresso | Nespresso
Key Point :
- A phishing email, appearing to be from an employee of Bank of America, is sent to targets with a message to check their recent Microsoft sign-in activity.
- If the target clicks on the email, they are directed to a legitimate but infected URL controlled by Nespresso, which triggers no security warnings.
- The infected URL delivers a malicious .html file disguised as a Microsoft login page to capture the victim’s credentials.
- The attackers exploit an open redirect vulnerability in Nespresso’s webpage, redirecting users to an external, untrusted URL through a trusted domain.
- Some security vendors fail to detect the hidden or embedded links, allowing the attacker to bypass security measures.
- The campaign uses various sender domains but consistently uses the infected Nespresso URL and a fake Bank of America email.
A phishing campaign exploiting a bug in Nespresso’s website has been able to evade detection by taking advantage of security tools that fail to look for malicious nested or hidden links.
The campaign starts with a phishing email that appears to have been sent from an employee with Bank of America, with a message to “please check your recent [Microsoft] sign-in activity.” If a target clicks, they are then directed to a legitimate but infected URL controlled by Nespresso. according to research today from Perception Point.
Because the address is legitimate, the hijacked Nespresso site triggers no security warnings, the report explained. The Nespresso URL then delivers a malicious .html file doctored up to look like a Microsoft login page, intended to capture the victim’s credentials, the Perception Point team added.
The attackers are making use of an open redirect vulnerability in the coffee giant’s webpage, the researchers explained: “Open redirect vulnerabilities occur when an attacker manages to redirect users to an external, untrusted URL through a trusted domain. This is possible when a website or URL allows data to be controlled from an external source.”
Attackers know that some security vendors “only inspect the initial link, not digging further to discover any hidden or embedded links,” they added. “With this knowledge, it makes sense that the attacker would host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors, detecting only the reputable URL and not the subsequent malicious ones.”
This particular campaign has been launched from several different sender domains, but it consistently uses the infected Nespresso URL and the fake Bank of America email in the cyberattacks, the report added. Neither Perception Point nor Nespresso immediately returned a request for comment on whether the open-direct vulnerability has been fixed.
Source: https://www.darkreading.com/cyberattacks-data-breaches/nespresso-domain-phish-cream-sugar
“An interesting youtube video that may be related to the article above”