Nespresso Domain Serves Up Steamy Cup of Phish, No Cream or Sugar

A phishing campaign exploiting a bug in Nespresso's website has been able to evade detection by taking advantage of security tools that fail to look for malicious nested or hidden links.

The campaign starts with a phishing email that appears to have been sent from an employee with Bank of America, with a message to "please check your recent [Microsoft] sign-in activity." If a target clicks, they are then directed to a legitimate but infected URL controlled by Nespresso. according to research today from Perception Point.

Because the address is legitimate, the hijacked Nespresso site triggers no security warnings, the report explained. The Nespresso URL then delivers a malicious .html file doctored up to look like a Microsoft login page, intended to capture the victim's credentials, the Perception Point team added.

The attackers are making use of an open redirect vulnerability in the coffee giant's webpage, the researchers explained: "Open redirect vulnerabilities occur when an attacker manages to redirect users to an external, untrusted URL through a trusted domain. This is possible when a website or URL allows data to be controlled from an external source."

Attackers know that some security vendors "only inspect the initial link, not digging further to discover any hidden or embedded links," they added. "With this knowledge, it makes sense that the attacker would host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors, detecting only the reputable URL and not the subsequent malicious ones."

This particular campaign has been launched from several different sender domains, but it consistently uses the infected Nespresso URL and the fake Bank of America email in the cyberattacks, the report added. According to Perception Point, the redirect has not yet been fixed.

“We were alerted of a phishing attempt, where a modified redirection website link disguised as a Nespresso address was used to try to obtain personal credentials from people (not necessarily Nespresso customers)," a spokesperson tells Dark Reading. "We can confirm that our customers’ data has not been compromised in any way. We ask everyone to be aware and vigilant of emails that redirect them to unknown websites.”