Phishing Emails Spoof WebEx Invites, Abuse Open Redirect

That WebEx meeting invite you just received may actually be a phishing email that spreads the WarZone remote access trojan by abusing a Cisco open redirect.

An open redirect is an app or website vulnerability — caused by improper authentication of URLs — that allows attackers to introduce their own URLs that route users or visitors to a malicious website. Researcher Alex Lanstein discovered the campaign last week and on Nov. 6 issued a tweet explaining how the scam works.

“Pretty slick webex phish/spoof… leverages what appears to be a redirect service on Cisco’s page to redirect to the malware (called webex.exe)” wrote Lanstein, whose tweeted was previously spotted and reported by BleepingComputer’s Lawrence Abrams.

Victims of this scam receive a convincing-looking meeting invitation, replete with a meeting number, password and time. There is also a “Join Meeting” button, just as there would be had they received a genuine invitation.

Normally, users who click this button are routed to a site and subsequently prompted to download the official WebEx client. But by abusing the Cisco open redirect, the attackers instead send victims to a site that downloads WarZone as a malicious payload, disguised as a webex.exe executable.

According to BleepingComputer, WarZone can download and execute software, execute commands, take over webcams, delete files, enable Remote Desktop Services and VNS for remote access, log keystrokes and steal Firefox and Chrome passwords.