Today, I(@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.
"The diet porgram you told us about yesterday is soo good! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me" One of the tweets posted from the spammers' twitter account reads.
The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.
"I love myself even more after I started your diet porgram [link]" spam tweets read. "Yahoo made an article about how amazing your new diet program is!! You look amazing"
The technique provides several advantages to the cybercriminals including
- Getting trust of users
- URL filtering won't block users from accessing the url because the request goes to CNN. CNN website then redirects the user to scam website.
After further research, i discovered the spammers has also managed to exploit the open redirection security flaw in Yahoo.
"hxxx://us.ard.yahoo.com/SIG=15ohh3h62/M=722732.13975606.14062129.13194555/D=regst/S=150002347:R2/Y=YAHOO/EXP=1275539597/L=hnNys0Kjqbp5Cok8Sr10cAJDTPYa3UwHFG0AANhn/B=VSDoPmKJiUs-/J=1275532397077354/K=rS6pwy3MN2NPP7SBqBCOAQ/A=6097785/R=0/SIG=11o4aqdmv/*hxxx://bit.ly/HealthDiet2"This is not the first time the CNN website is being abused by cyber criminals. In 2010, the spammers managed to exploit the open-redirect vulnerability in "ads.cnn.com".
*Update: security researcher Janne Ahlberg discovered
The screenshot apparently shows the tweet posted on 23rd May 2013. At the time of writing, the tweet still appears in the account.
It appears cybercriminals' campaign getting success which mentions various celebrities and media organizations in their tweets - one more celebrity falls victim to the spam campaign.
"“@honshadey: @ChiefKeef So happy you released a diet program! THANKS! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me …”Bitch U Know i aint Got no Diet Program " Keith Cozart better known by his stage name Chief Keef , American rapper from Chicago, replied to the spam tweet.
Unfortunately , more than 400 followers has retweeted the post that helps the spammers to spread their campaign.