Cyber Security Threat Summary:
In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

Starting from July 2023, Menlo Security observed adversaries exploiting an open redirection vulnerability within the indeed[.]com website to redirect victims to a phishing page designed explicitly to pilfer their Microsoft credentials. The primary targets of these attacks were C-suite executives and other high-ranking personnel in industries such as banking, financial services, insurance, property management, real estate, and manufacturing, with a particular emphasis on the United States.

Security Officer Comments:
The attack relies on a website vulnerability which could be manipulated to divert visitors to untrusted external resources. As part of their campaign, the attackers utilized the subdomain 'lmo.' and hosted their phishing pages on nginx servers capable of serving as reverse proxies. Menlo Security reported both the open redirection issue and the observed malicious activities to Indeed; however, it remains uncertain whether the job search platform has taken measures to address the issue.

Suggested Correction(s):
To mitigate watering hole attacks, it's essential to keep all software, including non-security applications, up to date by conducting regular vulnerability scans and applying security patches. Additionally, employing secure web gateways (SWG) can help filter out web-based threats and enforce acceptable use policies. Implementing comprehensive end-user training is also a proactive measure to prevent such attacks. Furthermore, typo-squatting attacks can be easily thwarted by diligently verifying the authenticity of URLs before engaging with them.

Link(s):
https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/