Phishers use Nespresso links, exploiting redirect vulnerability


Security researchers at Perception Point discovered that phishers are exploiting an open redirect vulnerability, which affects the Nespresso website, a popular coffee machine and coffee capsule manufacturer.

Redirect vulnerability allows an attacker to redirect a user to a malicious website or inject arbitrary content into a legitimate website.

Basically, by manipulating the URL value, a hacker can craft a link that appears to come from Nespresso. However, it redirects a user to a malicious site.

In this case, phishers constructed a link that starts with “t.uk.nespresso.com/r/?id[...],” but leads to a malicious website.

The Perception Point team of security researchers warns that attackers have already exploited the vulnerability in the wild by sending scam emails trying to bypass detection and steal Microsoft login credentials.

“This attack starts with an email. Albeit, in this instance a very strange email that at first glance appears to be a multi-factor authentication request from Microsoft. The email sender is unaffiliated with Microsoft,” researchers write.

The message is muddled to look like it has been forwarded a few times but originates from Microsoft.

“Regardless of the convoluted details, the overall message is clear. The email urges the recipient to check their recent login activity,” Perception Point said.

If a user clicks the link, the browser will open a malicious spoofed Microsoft login page designed to harvest credentials.

“The goal of using the Nespresso open redirect vulnerability is to evade security measures. Attackers know that some security vendors only inspect the initial link, not digging further to discover any hidden or embedded links. With this knowledge, it makes sense that the attacker would host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors,” researchers explain.

Perception Point observed multiple attacks from different sender domains involving Nespresso URLs. Some of the scams appeared as forwarded from the Bank of America.

At the time of writing, the vulnerability was still open.

“We were alerted of a phishing attempt, where a modified redirection website link disguised as a Nespresso address was used to try to obtain personal credentials from people (not necessarily Nespresso customers). We can confirm that our customers’ data has not been compromised in any way. We ask everyone to be aware and vigilant of emails that redirect them to unknown websites,” a Nespresso spokesperson told Cybernews.

Cybernews has already reported that users should not trust links even if they are from reputable domains—BMW had subdomains affected by a redirect vulnerability.

Users should beware of clicking any suspicious link, even when the domain appears legitimate. Attackers have their ways of delivering a malicious payload.

Updated on April 25th [06:30 a.m. GMT] with a statement from Nespresso.