Suggested feature: modify links in Title field to avoid phishing

Everything related to Hesk - helpdesk software

Moderator: mkoch227

Post Reply
mashin
Posts: 4
Joined: Fri Sep 25, 2020 3:53 pm

Suggested feature: modify links in Title field to avoid phishing

Post by mashin »

Hello,

Today I read that attackers used a company's ticketing system to send links for phishing. They just added phishing links in the Title field and since the Ticketing system sends an automated reply, it seems like a legit message from the Help Desk.

I made a test on my HESK system and it does the same.

Image

I'm aware that this could be prevented right now by only accepting tickets from registered users.

In my case I won't close the tickets to only registered users but I will add a PHP script that searches for URLS in the title field and transform them so they can't be clickable for the end user over email confirmation messages. But I just want to bring this to the forum in case something similar could be added on further updates.

Thanks.


News source:
https://www.bleepingcomputer.com/news/s ... g-attacks/
I like HESK
Top
mashin
Posts: 4
Joined: Fri Sep 25, 2020 3:53 pm

Re: Suggested feature: modify links in Title field to avoid phishing

Post by mashin »

1) I added the following function to my HESK file: email_functions.inc.php

Code: Select all

function link_remover($hyperlink) {
    return preg_replace_callback(
        '/\b((https?:\/\/)?(www\.)?[a-z0-9\-]+(\.[a-z]{2,})+([\/?][^\s]*)?)/i',
        function ($matches) {
            $broken = $matches[0];
            // Replace http, https, and www with " [link] "
            $broken = preg_replace('/^(https?:\/\/|www\.)/i', ' [link] ', $broken);
            // Replace all remaining dots with spaces
            $broken = str_replace('.', ' ', $broken);
            return $broken;
        },
        $hyperlink
    );
}
2) I added this line right after $subject = hesk_html_entity_decode($subject); on function hesk_mail in the same file.

Code: Select all

$subject = link_remover($subject);
3) I removed %%SUBJECT%% at the new_ticket.txt template Body (Plain text & HTML)

With this, the user (customer) won't receive any phishing URLS in subject/body. The Admins still need to clean them from the original ticket tho.

This might not be the best solution but it worked on my QA/prod site (I'm really not a programmer. IA site wrote the function for me)
I like HESK
Top
Klemen
Site Admin
Posts: 10174
Joined: Fri Feb 11, 2005 4:04 pm

Re: Suggested feature: modify links in Title field to avoid phishing

Post by Klemen »

Thanks for sharing the news and your changes to fight such phishing attempts.

Criminals are getting really creative. It's definitely a valid concern that we will address in Hesk.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here Image

Image You should follow me on Twitter here

Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...

Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Top
mashin
Posts: 4
Joined: Fri Sep 25, 2020 3:53 pm

Re: Suggested feature: modify links in Title field to avoid phishing

Post by mashin »

Thank you very much
I like HESK
Top
Post Reply

Return to “Hesk - helpdesk software add-ons”