HQ/EMEAFind out how we can help your business
A phishing attempt has caused trouble by exploiting a vulnerability within the Nespresso website, exposing consumers to having their Microsoft credentials stolen.
This scam begins with a phishing email masquerading as a communication from Bank of America, requesting recipients to review their recent Microsoft sign-in activity. However, the link within the email poses a risk to the recipient.
Once an unwary target clicks the link, they are taken to a seemingly harmless Nespresso URL, but beneath it is a sophisticated trap that the actors designed to execute their operation. The Nespresso website, while valid, has been hijacked to transmit a fake Microsoft login page disguised as an innocent.html file. Once entered, these credentials fall into the hands of cybercriminals.
The Nespresso domain has a redirection bug that allowed the hackers to capitalise on it and initiate their phishing campaign.
According to investigations, the hackers exploit an open redirect vulnerability within the Nespresso website. Essentially, this bug enables them to redirect visitors to an external, untrusted URL via Nespresso’s trusted domain. Because the original link appears valid, it bypasses several security safeguards without raising suspicions or red flags.
The attackers exploited a flaw in security tools, frequently only checking the first link and failing to detect any hidden or embedded malicious links. By redirecting to Nespresso’s domain, they easily avoid these security checks, allowing their evil intentions to go undiscovered.
This phishing attempt, while sophisticated, is not limited to a single sender domain. Researchers have detected this attack from various email accounts using the same compromised Nespresso URL and phoney Bank of America email template.
Despite the frequent attempts, Nespresso has yet to release a comment on whether they have already resolved the open-direct vulnerability.
Therefore, this incident is another example of the significance of strong cybersecurity defences. Even seemingly innocuous websites can have malicious capabilities, and individuals and corporations must remain alert against such threats. As hackers refine their strategies, remaining one step ahead is the best way to avoid falling prey to their schemes.
Users should learn how to spot phishing campaigns to prevent threat actors from stealing their credentials and data.
