A coronavirus-themed phishing campaign designed to infect victims with Raccoon information-stealing malware has reportedly been leveraging an open redirect vulnerability found on the U.S. Department of Health and Human Services’ website, HHS.gov.
As defined by Trustwave here, an open redirect occurs when a website’s “parameter values (the portion of URL after “?”) in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect.”
Such conditions are favorable for sending phishing emails containing malicious links that look like a legitimate ones belonging to credible website. And in this case, the credible website is HHS.gov, which would naturally be considered a trusted source of coronavirus information. More specifically, the redirect can be found on the subdomain of HHS’s Departmental Contracts Information System.
The Twitter-based infosec analyst known as @SecSome (aka Some Security Please) on Monday disclosed the campaign and its corresponding vulnerability in series of tweets, the content of which have since appeared in several redirect website benefits covid phishing
