Threat Management, Malware, Network Security, Phishing

Open redirect on Dept. of HHS website benefits COVID-19 phishing scam

A coronavirus-themed phishing campaign designed to infect victims with Raccoon information-stealing malware has reportedly been leveraging an open redirect vulnerability found on the U.S. Department of Health and Human Services' website, HHS.gov.

As defined by Trustwave here, an open redirect occurs when a website's "parameter values (the portion of URL after "?") in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect."

Such conditions are favorable for sending phishing emails containing malicious links that look like a legitimate ones belonging to credible website. And in this case, the credible website is HHS.gov, which would naturally be considered a trusted source of coronavirus information. More specifically, the redirect can be found on the subdomain of HHS's Departmental Contracts Information System.

The Twitter-based infosec analyst known as @SecSome (aka Some Security Please) on Monday disclosed the campaign and its corresponding vulnerability in series of tweets, the content of which have since appeared in several media reports.

One of the tweets showed a sample of a phishing email used in the campaign. It presents basic facts on the virus, including symptoms and victim count, and contains a link at the bottom that recipients can click, supposedly to further research their medical symptoms.

Clicking on the link redirects the user to the malicious attachment coronavirus.doc.link, which unpacks an obfuscated VBS script that in turn produces Raccoon, which can steal email credentials, credit card info, cryptocurrency wallets, browser data, and system information, BleepingComputer has reported. And to avoid casting suspicion, the attackers even use an error message to make it appear as if a problem occurred while opening the malicious document.

According to Cyberscoop, an HHS spokesperson said that the open redirect vulnerability is under investigation.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.