Threat Actors Use ClickFunnels to Bypass Security Services

Written by

Threat actors have been spotted using the legitimate ClickFunnels service to bypass security services and redirect users to malicious links.

Security researchers at Avanan, a Check Point Software company, discussed the findings in an advisory shared with Infosecurity and published earlier today.

"ClickFunnels is an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses," wrote Avanan marketing content manager Jeremy Fuchs. "Hackers, however, are using it to bypass security services."

More specifically, threat actors have been exploiting ClickFunnels' ability to create pages with malicious links and ultimately conduct credential-harvesting attacks.

"We talk constantly about 'The Static Expressway.' This is the practice of leveraging legitimate sites to host and send malicious pages," Fuchs wrote. "Essentially, it's a way of hiding malicious intent in something legitimate."

Case in point, ClickFunnels is a platform generally trusted by security engines. Therefore, links delivered by its email manage to bypass email protection solutions.

"We've seen this time and time again. Whether it's using AWS, Microsoft Voice or Facebook, this is a powerful way to get into the inbox," Fuchs added.

"It utilizes the fact that security services can't outright ban popular sites. Hackers then hop on the back of these to get into the inbox and scam users."

To protect against similar attacks, Avanan recommends users manually check URLs in email and browsers before clicking on them, as well as asking senders if they meant to use a specific site to send documents.

The technical write-up comes weeks after security researchers at Cofense reported that the use of Telegram bots as exfiltration tools for phished information increased by 800% between 2021 and 2022.

More recently, the Abnormal Security team spotted a highly successful new business email compromise (BEC) group dubbed "Firebrick Ostrich" that targeted several victims over the past two years.

What’s hot on Infosecurity Magazine?