Cybersecurity firm Menlo Security has issued a warning about a recent phishing campaign aimed at executives in senior positions. The campaign leverages an open redirection vulnerability found in the popular job search platform Indeed.

Indeed, headquartered in the United States, boasts a massive user base, with over 350 million unique visitors per month and a global workforce of more than 14,000 employees. Its widespread popularity has made it a trusted source for users, but this latest campaign illustrates how cybercriminals are taking advantage of that trust.

Starting in July 2023, attackers have been observed exploiting an open redirection flaw in the indeed.com website, redirecting victims to a phishing page designed to steal their Microsoft credentials. The primary targets of these attacks have been C-suite employees and executives in sectors such as banking, financial services, insurance, property management, real estate, and manufacturing, mainly within the United States.

The attack begins with the victim receiving a phishing email containing a link that appears to lead to indeed.com. However, clicking the link redirects them to a counterfeit Microsoft login page created using the EvilProxy phishing framework. This phishing kit operates as a reverse proxy, dynamically fetching page content from the legitimate Microsoft domain and allowing the attacker to intercept the victim’s credentials before they reach the actual login page.

Moreover, the phishing kit also pilfers the victim’s session cookies, which can be employed by the attacker to impersonate the victim and gain access to their Microsoft account, circumventing certain multi-factor authentication (MFA) mechanisms.

The attack capitalizes on the fact that the indeed.com website could be manipulated to redirect visitors to an untrusted external resource. As part of their strategy, the attackers utilized the ‘lmo.’ subdomain and hosted their phishing pages on nginx servers configured as reverse proxies.

Menlo Security explains that the reverse proxy captures dynamically generated content, such as login pages, and acts as an intermediary, intercepting requests and responses between the victim and the legitimate site.

Menlo Security has reported the open redirection vulnerability and the observed malicious activity to Indeed, although it remains uncertain whether the employment website has addressed the issue.

Menlo warns that account compromise is only the initial phase of an attack chain that could potentially culminate in a Business Email Compromise (BEC), leading to identity theft, intellectual property theft, and substantial financial losses.

Proofpoint has also reported a similar phishing campaign targeting executives at more than 100 organizations, using the EvilProxy phishing tool. In those instances, cybercriminals exploited other legitimate services, including YouTube, for redirection.

Indeed Responds Claiming Flaw Fixed & No Data Issues

An Update found in SecurityWeek.com from Indeed wrote: In response to the security concerns, an Indeed spokesperson has reported resolving the vulnerability that allowed malicious actors to exploit Indeed’s domain for social engineering attacks. They assured that no Indeed user data was improperly accessed and that their engineering teams are actively engaged in security incident response to prevent any recurrence.