A coronavirus-themed phishing campaign designed to infect victims with Raccoon information-stealing malware has reportedly been leveraging an open redirect vulnerability found on the U.S. Department of Health and Human Services’ website, HHS.gov.
As defined by Trustwave here, an open redirect occurs when a website’s “parameter values (the portion of URL after “?”) in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect.”
Such conditions are favorable for sending phishing emails containing malicious links that look like a legitimate ones belonging to credible website. And in this case, the credible website is HHS.gov, which would naturally be considered a trusted source of coronavirus information. More specifically, the redirect can be found on the subdomain of HHS’s Departmental Contracts Information System.
The Twitter-based infosec analyst known as @SecSome (aka Some Security Please) on Monday disclosed the campaign and its corresponding vulnerability in series of tweets, the content of which have since appeared in several media reports.
One of the tweets showed a sample of a phishing email used in the campaign. It presents basic facts on the virus, including symptoms and victim count, and contains a link at the bottom that recipients can click, supposedly to further research their medical symptoms.
Clicking on the link redirects the user to the malicious attachment coronavirus.doc.link, which unpacks an obfuscated VBS script that in turn produces Raccoon, which can steal email credentials, credit card info, cryptocurrency wallets, browser data, and system information, BleepingComputer has reported. And to avoid casting suspicion, the attackers even use an error message to make it appear as if a problem occurred while opening the malicious document.
According to Cyberscoop, an HHS spokesperson said that the open redirect vulnerability is under investigation.