A new phishing scam has been detected that uses a WebEx meeting request as a lure to get business users to download a remote access Trojan that masquerades as the WebEx client (WebEx.exe).
The campaign was detected by Alex Lanstein and shared on Twitter. The meeting request is a carbon copy of a genuine WebEx meeting notification email. As with the real meeting requests, the email contains a Join Meeting button, which the user needs to click to join the meeting. As with the genuine emails, when the user arrives on the site, they will be prompted to download the WebEx client. The genuine WebEx client is required to take part in the meeting and view the screen of the meeting host. The fake WebEx client has the same name WebEx.exe and is indistinguishable from the genuine executable file.
Business users that regularly participate in meetings such as this will be aware that a client is needed. They will also be familiar with the WebEx messages and would likely notice nothing untoward. If the user checks the link address, they will see that it directs them to the secure-web.cisco.com page, which appears perfectly legitimate as WebEx is owned by Cisco.
However, while the link does direct the user to that site, an open redirect has been created that sends the user to a malicious site where the fake WebEx client is downloaded. If the executable file is run, it will install a remote access Trojan (RAT) which will give the attacker full control of the victim’s computer. Installation of the RAT will see it inserted into the Startup folder ensuring it is launched each time the user’s device is booted.
The RAT gives the attacker the ability to remotely execute commands of the victim’s computer, download and upload files, log keystrokes, delete files, gain control of the webcam, and steal browser passwords. The WebEx team has now updated the reputation score for the URL to prevent further access.
This scam clearly demonstrates how open redirects can be used in convincing phishing scams. These emails are often not detected as malicious by email security gateways as the sites on which the redirects have been created have a high trust score. The campaign also highlights a security flaw in webinar platforms that require users to download and run an executable on the spot to participate.