Email redirects to phishing site when opened on a mobile device

Question

Email redirects to phishing site when opened on a mobile device

Closed this issue 5 months ago · 8 comments

We have used this app in previous years but this year when emails are recieved and the "Find out your person" link on a mobile device is pressed it is redirecting participants to a Phishing site. This has been reported from multiple participants.

Note: This only seems to happen when the link is opened on a mobile device, it does not happen on desktop.

Note2: Canceling your party will stop participants who have not yet clicked the link from being redirected to the phishing site (instead they will recieve an error).

Answer 1 · 2023-10-28T13:45:47.000Z

hi @zackslash, thx for your report!
I am investigating the issue but but wasn't able to reproduce it yet.
My assumption would be that some 3th party tools (like corrupted browser plugins or other applications) on the device of the party creator have managed to infiltrate into the party details.
As I understood the party has been removed for now so I am unable to have a closer look for this specific case.
I assume you only had those experience for this specific party?

Anyhow, we will do some more research on this topic and take extra measurements to prevent such things from happening in the future.

Answer 2 · 2023-10-28T16:57:25.000Z

Hey @RubenHollevoet,
Thanks for the quick response.

We have been able to replicate this on multiple iOS devices (multiple individuals across multiple geographical locations).

It seems to be replicable when creating any new party but only seems to redirect participants using iOS devices.

Answer 3 · 2023-10-28T17:20:09.000Z

I've had more reports that this is also happening on Android devices, so it does not seem limited to iOS.

Looking at the request flow; It seems like the redirect may be started by 'invoke.js', additionally; I tested blocking the domain 'highcpmcreativeformat.com' at DNS level and that stops the redirects to the phishing site from happening, so I suspect this URL could be publishing malicous code on your site.

There are multiple embeds of that site in this project, for example:

SecretSanta/templates/Participant/show/valid.html.twig:112

document.write('<scr' + 'ipt type="text/javascript" src="//www.highcpmcreativeformat.com/4e46a9746a54e456c0123bd2f828c7c5/invoke.js"></scr' + 'ipt>');

Answer 4 · 2023-10-28T18:21:50.000Z

I can say I am currently experiencing the same. As well as my participants.

Answer 5 · 2023-10-29T07:42:00.000Z

Thanks for the extra investigation!
I will get in touch with the ones who are able to redeploy. Hopefully it will be fixed soon

@tvlooy could you checkout b3ae08b?

Answer 6 · 2023-10-29T08:42:15.000Z

disabled adsterra stuff and discussing with marketing people

Answer 7 · 2023-12-02T21:58:02.000Z

I'm getting reports from my parents of mobile asking for credit card information and claims of this being a paid service. neither have ad blockers on.

Answer 8 · 2023-12-04T06:46:50.000Z

That's not good at all! Can you email your management page to? tom.vanlooy at iodigital dot com?