Case Study: Lessons Learned from the Indeed EvilProxy Attack

blog

Industry: Online Job Search Platform

About Indeed:

Indeed, a globally renowned platform for online job search and employment services. With millions of job listings, it connects job seekers with employers worldwide. Indeed with a database of 245 million resumes, plays a vital role in the recruitment industry.

What Happened?

In a recent cybersecurity incident, Indeed fell victim to an advanced phishing attack. This case study sheds light on how this breach unfolded, its underlying causes, the far-reaching impacts, and the recommended solutions for organisations to consider.

What Was the Cause of This Incident?

The breach was orchestrated by a sophisticated phishing campaign identified by Menlo Labs in July 2023.

Hacker goes where the money is. This campaign was no different and it was designed to target high-ranking executives in various sectors including Banking and Financial Services, Insurance, Property Management, Real Estate, and Manufacturing.

The attackers employed the ‘EvilProxy‘ phishing-as-a-service kit that allows an attacker to successfully bypass two-factor or multifactor authentication (MFA) by using a reverse proxy functionality.

The attackers exploited an open redirection vulnerability on ‘indeed.com’ to deceive victims. This technique allowed them to redirect users to phishing pages impersonating Microsoft.

The attack is a classic example of an adversary-in-the-middle (AitM) phishing attack, also known as a man-in-the-middle attack. It enabled the attacker to bypass MFA by stealing session cookies.

This means they could impersonate legitimate users, gaining unauthorized access to their accounts and sensitive information.

What Is the Impact of This Incident?

The phishing campaign targeted C-suit executives across various industries, primarily in the United States. The attack was executed through deceptive phishing emails containing links that redirected victims to fake Microsoft Online login pages. The attack chain involved:

  • The victim receiving a phishing email
  • Clicking the link
  • Being redirected to the fake login page created with EvilProxy
  • The attacker intercepting legitimate server requests to steal session cookies

The potential consequences of this breach are severe, including Business Email Compromise (BEC), identity theft, and financial losses.

The attack not only highlights the importance of fortifying online security, especially for platforms dealing with personal and professional data but also emphasises how important it is for organisations to educate their users around cybersecurity.

What Is HumanFirewall’s Take?:

HumanFirewall, a leading cyber security awareness and training platform, recognizes the significance of this incident and offers valuable insights. In response to this breach, we recommend:

  • Educating users: It’s crucial to educate users about the risks of phishing attacks and how to identify suspicious emails and links.
  • Employing phishing-resistant MFA: Organisations should implement multi-factor authentication mechanisms that are resistant to phishing, enhancing overall security.
  • Verifying target URLs: Always ensure that the URLs are legitimate and take steps to mitigate open redirection vulnerabilities.
  • Implementing session isolation solutions: These solutions offer real-time protection against zero-hour phishing attacks, crucial in today’s evolving threat landscape.

How HumanFirewall Can Help?

Humans are not the weakest link in cybersecurity but the most attacked vector — this is an undisputed fact, but it doesn’t need to be so.

HumanFirewall transforms the security posture of your human layer. It is a world-first security awareness and training platform that also works when real attacks strike.

Its Post-delivery Protection, augments with technology what humans lack in attention to highlight the risk in an already delivered email. It gamifies the learning experience via phishing simulations, builds individual risk profiles, rewards real-time reporting, remediates incidents instantly, and orchestrates auto-blacklisting enterprise-wide via easy-to-deploy one-click integration with O365, GSuite and Exchange.

HumanFirewall transforms employees, from being an organisation’s weakest link, into their strongest line of defence. Specifically, in light of this incident, we can assist organisations in implementing robust security measures to prevent such phishing attacks in the future.