Threat Discovery: Attackers are Abusing Adobe Open Redirect Service to Serve Phishing

As we’ve blogged about before, cybercriminals are increasingly leveraging legitimate commercial infrastructure sites to avoid detection and host the growing number of phishing attacks they launch. Reports indicate that these types of attacks are on the rise and manipulating mainstream trusted brands is becoming a favorite tactic of online criminals. The reason this ploy is becoming more prevalent is that it is difficult to detect and can potentially evade existing URL inspection and domain reputation analysis methods.

In a perfect example of this type of fraud, SlashNext discovered a new outbreak where attackers were found to be luring users to Adobe’s open redirect services (hosted at t-info[.]mail[.]adobe.com) through emails[1] as a mean to redirect to various malicious sites. When a potential victim clicked on the link, it immediately began executing a number of redirects that would send the user to one of several different malicious webpages. The first one we discovered was the fake Microsoft Office 365 login page below[2].

This is a clear attempt to bypass email gateway defenses and their domain reputation engines. Because the initial link is pointing a reputable site, email gateways will consider the page to be a benign site and continue to allow users to visit it.

We’ve highlighted the delays Microsoft Office 365 Advanced Threat Protection (ATP) can experience when creating phishing attack signatures in a previous blog.

As our SEERTM (Session Emulation and Environment Reconnaissance) threat detection technology continued to use virtual browsers in its purpose-built cloud to dynamically inspect this redirect URL behavior in real-time, it found that the redirects had quickly changed and different malicious credential stealing pages were being served. The next page found was the fake login page below for managed cloud computing company Rackspace.

As we continuously re-checked the Adobe URL, the redirects changed to different credential stealing counterfeit pages. Each time the new pages are detected they are added to our list of active threats.

Since the initial URL led to a legitimate (whitelisted) infrastructure and the ultimate redirected destination URLs were not flagged as dangerous demonstrates how this threat is able to bypasses most security stacks. To defend against it organizations need to employ blacklisting strategies that can continue analyzing through multiple redirects and detecting threats to the final URLs.

Our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense solutions can see beyond the legitimate website to identify what might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization.

[1] Full Adobe redirect Url embedded within Phishing Email: hxxp:// t-info[.]mail[.]adobe.com/r/?id=hc43f43t4a,afd67070,affc7349&p1=t.mid.accor-mail.com/r/?
id=0vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z9
8ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2ex4-
0vbaml5rq1z98ku7npjsw6dohtyf2ex4-0vbaml5rq1z98ku7npjsw6dohtyf2ex4-0vbaml5rq1z98ku7npjsw6dohtyf2ex4&p1=ruckussolutions [.]com//?
pzone=cGV0ZXJfYXJtc3Ryb25nQGNvbWNhc3QuY29t&0vbaml5rq1z98ku7npjsw6dohtyf2ex4=0vbaml5rq1z98ku7npjsw6dohtyf2ex40vbaml5rq1z98ku7npjsw6dohtyf2
ex4

[2] Redirected URL leading to fake Microsoft Office 365 login page: hxxps:// weparkyouflyairportparking [.] com/assets-frontend/fonts/.helps/.slide/cmd-login=b6b174a32b31e428caa4fa2e364d589d/?
newsid=6873893883NzU2MzJmZTllMmU2MmM1ZGU3N2UyZDNjOGI1MzE3MjI=NzU2MzJmZTllMmU2MmM1ZGU3N2UyZDNjOGI1MzE3MjI=NzU2MzJmZTllMmU2
MmM1ZGU3N2UyZDNjOGI1MzE3MjI=&email=70657465725f61726d7374726f6e6740636f6d636173742e636f6d&loginpage=NzU2MzJmZTllMmU2MmM1ZGU3N2Uy
ZDNjOGI1MzE3MjI=NzU2MzJmZTllMmU2MmM1ZGU3N2UyZDNjOGI1MzE3MjI=&reff=NzU2MzJmZTllMmU2MmM1ZGU3N2UyZDNjOGI1MzE3MjI=NzU2MzJmZTllM
mU2MmM1ZGU3N2UyZDNjOGI1MzE3MjI=

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.