Researchers around the world are working to understand a new remote code vulnerability in Microsoft Office dubbed Follina.
The post Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) appeared first on Malwarebytes Labs.

Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt protocol URI scheme to load some code, and then execute some PowerShell.

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:

> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.

**Affected versions**

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.

Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.

**Mitigation**

There are a few things you can do to stop some or all of the “features” used in this type of attack.

**Unregister the ms-msdt protocol**

Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.

Copy and paste the text into a notepad document:

*   Click on **File**, then **Save As…**
*   Save it to your Desktop, then name the file disable_ms-msdt.reg in the file name box.
*   Click **Save**, and close the notepad document.
*   Double-click the file disable_ms-msdt.reg on your desktop.

Note, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.

*   A message will appear about adding information into the registry, click **Yes** when prompted
*   A prompt should appear that the information was added successfully

**Disable preview in Windows Explorer**

If you have the preview pane enabled, you can:

*   Open File Explorer.
*   Click on **View** Tab.
*   Click on **Preview Pane** to hide it.

**Enable Malwarebytes’ Block penetration testing attacks**

The Malwarebytes’ **Block penetration testing attacks** setting is an aggressive detection setting that will block this attack. It is not enabled by default because while enabling it provides additional blocking capabilities for Exploit Protection it can increase false positives, or result in other application conflicts.

To enable it:

*   Open **Settings**
*   Click **Security**
*   Choose **Advanced settings**
*   Tick **Block penetration testing attacks**

Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)

An organisation dedicated to providing food for those in need suffered a double-whammy of fraud costing them upwards of $63,000.
The post Double-whammy attack follows fake Covid alert with a bogus bank call appeared first on Malwarebytes Labs.

The BBC has revealed details of how a food bank in the UK was conned out of about $63,000 (£50,000) by scammers who used two separate attacks to fleece their victims.

A food bank is a way for people to ensure they don’t starve. They are a backstop during times of economic uncertainty, and have been hugely important during the pandemic. An attack on a food bank is an attack on the most vulnerable that’s likely to have a significant impact on a community, and which could have a terrible knock-on effect.

There’s no indication that the fraudsters deliberately targeted the food bank, but whether they did or not, it loses little in awfulness to hospitals impacted by ransomware outbreaks.

This is how the two attacks occurred:

**Part 1, a bogus NHS Test and Trace message**

The initial attack was a fake NHS Test and Trace message.

From PPE offers to test and trace messages, COVID has been a mainstay of phishing since early 2020. No matter the region, the pandemic ushered in an age of fake delivery notifications and bogus “You may be infected” websites.

In this case, an SMS message was sent to the target claiming they had been in close contact with somebody who was Covid-19 positive.

We have seen these kinds of messages is sent out by SMS and email. Scammers may claim that tests are mandatory (they are not). Sites may collect the victim’s name, address, phone number, email, or more besides, and at the end of the flow, they may ask for a “postage fee” and your payment details.

In this case the scammers asked for payment for a PCR test. The demand for payment might once have been a red flag, but since the end of free testing in the UK, it isn’t.

For most people, this is where the scam ends. Sadly this isn’t the case here. The small payment was used as a stepping stone to significantly greater losses.

**Part 2, a call from a fake bank**

The victims called their bank, suspicious of fraud. By an unfortunate coincidence, the criminals called the food bank trustees back pretending to be their bank.

It’s possible the fraudsters took the card details given to them in the first scam and figured out which bank it belonged to. For example, the first 4 to 6 digits of a Bank Identification Number (BIN) can reveal the card issuer. Armed with this information, the scammers would know which bank they need to pose as. (It’s also possible they never mentioned the bank at all—someone already in touch with a bank may not suspect anything amiss from a supposed follow-up call.)

Either way, the scammers asked if any “linked accounts” could have been affected. Concerned for the food back, the victims handed over its bank account details. The scammers proceeded to empty the account of “well over $63,000” across a two-day period.

**Tips to avoid this scam**

Routine contact tracing ended in the UK in February 2022, so any messages that don’t arrive via the official NHS app should be treated as bogus.

If you receive a call from your bank, call them back using a number from their website. Don’t use a phone number (or any other information) provided by the caller, and don’t provide any identifying information until you are sure you are talking to your bank.

Double-whammy attack follows fake Covid alert with a bogus bank call

Australia, India, Japan, and the US recently met to discuss pressing matters in the Info-Pacific, including cybersecurity.
The post The Quad commits to strengthening cybersecurity in software, supply chains appeared first on Malwarebytes Labs.

The United States, Australia, and its Asian partners—India and Japan—have agreed to work on several cybersecurity initiatives on software, supply chain, and user data.

The countries’ leaders, who convened in Tokyo on May 24, 2022, have met annually four times since the revival of the alliance—formally called the Quadrilateral Security Dialogue, or simply the Quad—during the 2017 ASEAN Summits in Manila, Philippines.

A year ago, they supported regional countries to build cybersecurity resilience and counter disinformation. The group also assisted the Indo-Pacific in countering the growing ransomware threat and countering cybercrime.

US President Joe Biden, Australian Prime Minister Anthony Albanese, Indian Prime Minister Narendra Modi, and Japan Prime Minister Fumio Kishida issued a joint statement, stating their renewed commitment to deepening cooperation in addressing some pressing challenges currently facing the Indo-Pacific region: The ongoing COVID-19 pandemic, infrastructure, climate change, peace and stability (in light of the Ukraine invasion), and cybersecurity.

“In an increasingly digital world with sophisticated cyber threats we recognize an urgent need to take a collective approach to enhancing cybersecurity,” the White House said. “To deliver on the Quad Leaders’ vision for a free and open Indo-Pacific, we commit to improving the defense of our nations’ critical infrastructure by sharing threat information, identifying and evaluating potential risks in supply chains for digitally enabled products and services, and aligning baseline software security standards for government procurement, leveraging our collective purchasing power to improve the broader software development ecosystem so that all users can benefit.”

The Quad also plans to create a Quad Cybersecurity Partnership. They will coordinate “capacity building programs” within the region and launch a Quad Cybersecurity Day to “help individual Internet users across our nations, the Indo-Pacific region, and beyond to better protect themselves from cyber threats.”

The White House said the Quad will meet again next year in Australia.

The Quad commits to strengthening cybersecurity in software, supply chains

Intuit warns of a phishing email telling customers to validate their account to clear a temporary hold.
The post Intuit phish says “we have put a temporary hold on your account” appeared first on Malwarebytes Labs.

Intuit released a warning about a phishing email being sent to its customers. The phishing emails tell recipients that their account has been put on hold, and try to trick users into “validating their account” to release it again.

**Intuit**

Intuit Inc. is an American business software company that specializes in financial software. Intuit’s products include the tax preparation application TurboTax, personal finance app Mint, the small business accounting program QuickBooks, the credit monitoring service Credit Karma, and email marketing platform Mailchimp.

The example email for this campaign claims to come from the QuickBooks Team.

**The email**

Intuit has recently received reports from customers that they have received emails similar to the one below. The email explains to the receiver that their account is temporarily on hold, and what they need to do to remediate that situation.

Image of phishing email courtesy of Intuit

The email reads:

Dear Customer,

We’re writing to let you know that, after conducting a review of your business, we have been unable to verify some information on your account. For that reason, we have put a temporary hold on your account.

What you can do

If you believe that we’ve made a mistake, we’d like to remedy the situation as quickly as possible. To help us effectively revisit your account, please complete the below verification form:”

\[large green button that is definitely not going to Intuit\]

Once verification has been completed, we will re-view your account within 24-48 hours.

We’re sorry that we can no longer offer our services to you, and we wish you the best of luck with your business.

QuickBooks Support

The “Complete Verification” button in the phishing email will likely redirect recipients to a phishing site designed to harvest personal information, or infect victims with malware.

Needless to say, _this email did not come from Intuit_.

Intuit wants you to know that “the sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit.”

**Clues**

Some details of the email are clues that you are not dealing with Intuit.

*   The actual email address of the sender (vcn @ fucaxcapital\[.\]com) does not belong to Intuit.
*   Hovering over the button would show you that it doesn’t got to an intuit.com URL.

Some details offer softer clues that you should be suspicious:

*   Phishing emails want urgent action—this one wants you to act “as quickly as possible”.
*   It’s unlikely that Intuit would address you “Dear Customer” in a case like this.
*   Intuit normally asks you to sign in to its website rather than sending emails with clickable buttons.

**What you really should do**

In the security notice, Intuit advises customers who received one of these phishing messages not to click any embedded links or open any attachments. We suggest that you delete the suspicious email from your inbox, if you have it, to avoid falling into the trap at a later point.

QuickBooks users who have already opened attachments or clicked links after receiving one of these phishing emails should:

1.  Change their passwords.
2.  Delete any downloaded files immediately.
3.  Scan their systems using an up-to-date anti-malware solution.

Businesses can find some more tips to deal with phishing attempts in our article Businesses: It’s time to implement an anti-phishing plan.

Stay safe, everyone!

Intuit phish says “we have put a temporary hold on your account”

Posts from the last week on Malwarebytes Labs describing all the latest news, exploits, scams, and more.
The post A week in security (May 23 – 29) appeared first on Malwarebytes Labs.

Posted: May 30, 2022 by

**RELATED ARTICLES**

May 17, 2022 - AirTag stalking is in the news as bills look to close loopholes used by stalkers. What are AirTags, and how can they be used to track people?

May 9, 2022 - Google and all its products can dominate the average person's life. Here's an in-depth guide on how to remove yourself from their ecosystem.

May 5, 2022 - Google has released updates for Android and its Pixel phone. We discuss the three vulnerabilities that were classified as critical.

April 29, 2022 - Google has been busy. After introducing badges for browser apps, it's also launched its "nutrition labels" for apps.

April 12, 2022 - We take a look at a collection of apps which were all harvesting user data via an SDK promising "monetisation".

A week in security (May 23 – 29)

Twitter is paying the price for using users' security information for targeted advertising,
The post Twitter fined $150M after using 2FA phone numbers for marketing appeared first on Malwarebytes Labs.

The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have ordered Twitter to pay a $150M penalty for using users’ account security data deceptively.

The deception violates an FTC order from 2011, that bars Twitter from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

This penalty stemmed from a complaint the DOJ filed on behalf of the FTC against Twitter. From May 2013 to September 2019, Twitter asked users to provide an email address and contact number for security reasons, such as setting up two-factor authentication (2FA); password recovery; and for re-enabling full access to accounts thought to have acting suspiciously.

However, Twitter used it for another purpose: Targeted advertising.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said Lina M. Khan, chairperson of the FTC, in a press release. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

On top of Twitter paying the penalty, the FTC has added new provisions to protect Twitter users in the future.

The company has been told it must notify users about its improper use of their phone numbers and email addresses, tell them about the FTC action, and explain how they can turn off personalized ads and review their multi-factor authentication settings. It is also prohibited from using the phone numbers and email addresses it illegally collected to serve ads. It will also have to provide multi-factor authentication options that don’t require a phone number.

It will also have to create and resource a “comprehensive privacy and information security program” that “protects the privacy, security, confidentiality, and integrity” of users’ data.

The press release also noted that Twitter violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require participating countries to follow certain privacy protocols when legally transferring data from the EU and Switzerland.

Twitter fined $150M after using 2FA phone numbers for marketing

Critical updates have been released for both Firefox and Thunderbird. Apply now if you haven't already—we explain how.
The post Firefox, Thunderbird, receive patches for critical security issues appeared first on Malwarebytes Labs.

Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine (shared by the Firefox-based Tor browser) relate to Firefox 100.0.2, Firefox for Android 100.3.0, and Firefox ESR 91.9.1. For users of Thunderbird, the vulnerability there is in relation to Thunderbird 91.9.91.

Additionally, there is some fallout beyond the standard versions of Firefox and Thunderbird. Users of the anti-surveillance Tails Operating System have been warned to stop using the bundled Tor browser until a fix goes live. This is because it could be potentially vulnerable to CVE-2022-1802:

> This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.
> 
> For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.
> 
> This vulnerability doesn’t break the anonymity and encryption of Tor connections.

The fix for this Tails issue may not be seen until at least version 5.1. At time of writing, the expected release date for this is May 31.

**The vulnerabilities**

The two issues come with the following description:

CVE-2022-1802 is a critical prototype pollution vulnerability. According to Mozilla, an attacker who was able to corrupt the methods of an Array object in JavaScript via prototype pollution, could have executed malicious JavaScript code in a privileged context.

CVE-2022-1529 is another critical prototype pollution vulnerability. In this case, Mozilla says that untrusted user input was used in object indexing, leading to prototype pollution, which could have allowed an attacker to execute malicious JavaScript code in a privileged context.

**Update now, if you haven’t already**

Most installations of Thunderbird and Firefox will be set to update by default. If this is the case, you should already have the security fixes applied and you have nothing to worry about.

This isn’t the case for all installations, however. If you _don’t_ have Firefox or Thunderbird set to update automatically, the fix won’t be present. As a result, you’ll need to manually apply the update.

In Firefox, navigate to **Settings** and then click **General** > **Firefox Updates**.

From here, select the most suitable option from **Allow Firefox to**:

*   Automatically install updates
*   Check for updates but let you choose to install them.

The update process for Thunderbird is much the same as Firefox. By default, it’s set to update manually, but you can select similar options to Firefox using the Advanced option in the Updates tab.

With both of these tasks accomplished, you should no longer be at risk from either CVE.

Firefox, Thunderbird, receive patches for critical security issues

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

Scammers are trawling dating apps again. But they're not out to capture hearts but personal details—and your money, of course.
The post Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos appeared first on Malwarebytes Labs.

A horrible catfishing scam is using real abuse photos in order to lure in unsuspecting victims on sites like Tinder and Grinder. Recently unearthed by Bleeping Computer, it works like this:

Boy meets good-looking girl on dating site. The longer they talk, boy notices the conversation turning into a confession of abuse, with good-looking girl providing him pictures to back up her story. Good-looking girl then asks boy to “prove” his identity using an ID service which, you’ve guessed it, costs money.

Michael (not his real name) shared screenshots of a portion of his chat records with a “beautiful trans woman” with BleepingComputer.

“I almost fell victim to a uniquely cruel catfishing scheme,” he said.

Michael’s chat session included disturbing images of the alleged abuse. (Source: BleepingComputer)

The woman Michael was chatting with asked that he used a third-party “ID verification” service to prove that he’s not a former sex offender, backing up her request with “evidence” of abuse she’s suffered. “Cassey Queen” directed Michael on what website to use and what to do.

From one of the sites Bleeping Computer found:

> “We provide safety insurance in which both parties who are suppose to meet are being verified for safe meet up because some of our members complain that they are being harassed and sometimes ended up being robbed and beaten. We make sure that someone will be apprehended if he make some disrespectful acts.”

Many of the sites ask people to register with their card details and other information, including their full name, country of residence, ZIP code, and email address. The form where users enter their details is an HTML iframe, served by dot com sites with keysmash names. ntrfrnc.com is one of them.

One of the many keysmashed dot com sites that process payment details for scammy “ID verification” sites.

There are a handful of sites with the very same site template, and they all list the same office address in Cyprus.

**To verify or not to verify? No need to ask**

These “ID verification” services cost victims a lot of cash.

A sample listing of what daters would have to pay should they sign up for an ID check service. Those who sign up are also enrolled in a recurring subscription with membership options. (Source: BleepingComputer)

Additionally, all the details you give to these sites will be stored, processed, and used by these services however they like. This also means they could sell your details to third parties, use them to create synthetic profiles, or use them to pose as you online.

Users on Tinder and Grindr appear to be the targets of this scam, but keep in mind that tactics like this could easily spill over into social media sites and other watering holes that enable people to meet someone new.

Both Tinder and Grindr highly encourage their users to block and report profiles that appear to be a scam. So should you encounter one while looking for a potential date, you know what to do.

Stay safe!

Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos

A recent phishing scam neatly illustrates some of the tactics scammers use to avoid human intuition and automatic detection.
The post If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake appeared first on Malwarebytes Labs.

Our spam traps recently caught a phishing scam that neatly illustrates some of the tactics scammers use routinely to avoid both human intuition, and automatic detection.

The scam starts with an unsolicited email, of course…

The scam email is ostensibly from the Post Office, an instantly recognisable postal service brand in the UK, and it tells recipients “There is a update in your parcel. item stopped due to unpaid customs fee.” \[sic\] This is an echo of an extremely popular SMS scam from 2021 that told recipients they had to pay a small postage fee to release a parcel waiting for delivery.

The spelling and grammar in the email is predictably awful, and a little weird—it looks like a bad scan by an optical character reader (OCR). However, despite decades of security advice highlighting poor spelling and grammar as an enormous red flag, the fact is it doesn’t seem to hurt the scammers. So while other tactics have evolved, poor English has persisted.

As simple as it is, and as bad as it seems, the message includes a number of features that help to avoid raising suspicions:

**It’s a familiar message from a trusted brand**

Half the email is taken up by a giant logo for an organisation that is instantly recognisable to anyone in the UK. The scammers are building trust in the sender and telling users this is about a postal delivery, without writing a word.

They are also piggybacking on a very familiar form of email communication. Delivery companies like DHL and Royal Mail regularly bombard us with email and SMS updates about deliveries, recipients are often asked to click through to websites to track parcels, and occasionally they have to pay postage or customs fees.

**The address looks good**

The from address starts “PostOffice.co.uk”, suggesting it’s come from the postoffice.co.uk domain. However, that’s the Display Name, a user-friendly name that can be anything the sender wants. The address is the part in angle brackets: support@subsecure-community.zendesk.com.

Some sharp-eyed users may spot that it’s actually a zendesk.com email address, but Zendesk itself is a trusted system that’s used by big brands, and getting an email from Zendesk isn’t unusual either.

Because Zendesk is an online business, it makes setting up new accounts very easy. And because it relies heavily on email, it uses features like DKIM to minimise the chances of its emails being forged or flagged by anti-spam tools. By setting up genuine Zendesk accounts, the scammers are able to benefit from those security features, and the trustworthiness of the zendesk.com domain.

Of course criminals don’t expect their accounts to last long, and this one was quickly shut down.

**The links don’t look bad**

Users who hover their pointer over the email’s links, hoping to see if they look nefarious, will be disappointed, as they’ll just see an impenetrably-complicated URL. A lot of emails use odd-looking and convoluted URLs, so it’s rare to see links that are obviously good or obviously bad, and these are unlikely to ring alarm bells.

The only oddity that might tip off knowledgeable users is that links go to Google. They look like this:

https://www.google.co**m**/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48\_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

This URL in the email is borrowed from a Google search results page. Why? Because the links in Google search results pages are open redirects that can be used by anyone to create a google.com URL that will redirect to a web page of their choice. Many companies regard open redirects as a security vulnerability, but Google does not.

The web page you end up on if you click the link in the phishing email is highlighted below, although we’ve replaced the name of the compromised website with example.org:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48\_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

The Google open redirect helps to hide the real URL from curious users, but it may help to hide it from automatic detection too. The open redirect on google.com uses JavaScript rather than HTTP, so automated tools that follow chains of HTTP redirects won’t reach the scammer’s website, they’ll simply stop at google.com, which returns a status of 200 OK rather than 301 Redirect.

So where does it end up? Right now, nowhere. Whatever was waiting for victims on the compromised website—malware, malvertising, a payment form, or some other equally unpleasant thing—has been removed by the site owner. All that’s left is an empty directory.

The scammers, no doubt, have already moved on to a new compromised website, a new “burner” Zendesk account, and a different Google URL.