Last week, security researcher Alex Lanstein found a phishing email abusing an open redirect from the Cisco WebEx website being used to deliver malware. An open redirect is a technique used to disguise the real destination of a link, abusing a situation in which a website will take any URL as one of the parameters it accepts and forwards the browser to that specified URL. For example, https://www.google.com/url?q=https://www.example.com will redirect to example.com (although Google has also implemented a warning page to make it clear the visitor will no longer be on Google’s site). Fixing open redirects can be very simple and implemented in a variety of ways, including the warning page used in the Google example. In the particular example that Alex gave, hovering over the “Join meeting” button shows what would appear to be the real secure-web.cisco.com domain but, looking more closely reveals the malicious address at the end.
Analyst Notes
Always be cautious of links sent from someone unexpected. Security awareness training almost always has some sections for phishing emails, but these open redirect ones can be harder to spot to the average person. If you weren’t expecting a WebEx invite, hover the mouse over the link to see the full link as shown above. It’s not always enough to look for a familiar domain name.
To learn more: https://twitter.com/alex_lanstein/status/1192092706396233728
