PHPJunkyard support forum


https://developers.phpjunkyard.com/

Suggested feature: modify links in Title field to avoid phishing

https://developers.phpjunkyard.com/viewtopic.php?t=7762

Page 1 of 1

Suggested feature: modify links in Title field to avoid phishing

Posted: Tue Jun 24, 2025 11:47 pm
by mashin
Hello,

Today I read that attackers used a company's ticketing system to send links for phishing. They just added phishing links in the Title field and since the Ticketing system sends an automated reply, it seems like a legit message from the Help Desk.

I made a test on my HESK system and it does the same.

Image

I'm aware that this could be prevented right now by only accepting tickets from registered users.

In my case I won't close the tickets to only registered users but I will add a PHP script that searches for URLS in the title field and transform them so they can't be clickable for the end user over email confirmation messages. But I just want to bring this to the forum in case something similar could be added on further updates.

Thanks.


News source:
https://www.bleepingcomputer.com/news/s ... g-attacks/

Re: Suggested feature: modify links in Title field to avoid phishing

Posted: Wed Jun 25, 2025 1:52 am
by mashin
1) I added the following function to my HESK file: email_functions.inc.php

Code: Select all

function link_remover($hyperlink) {
    return preg_replace_callback(
        '/\b((https?:\/\/)?(www\.)?[a-z0-9\-]+(\.[a-z]{2,})+([\/?][^\s]*)?)/i',
        function ($matches) {
            $broken = $matches[0];
            // Replace http, https, and www with " [link] "
            $broken = preg_replace('/^(https?:\/\/|www\.)/i', ' [link] ', $broken);
            // Replace all remaining dots with spaces
            $broken = str_replace('.', ' ', $broken);
            return $broken;
        },
        $hyperlink
    );
}
2) I added this line right after $subject = hesk_html_entity_decode($subject); on function hesk_mail in the same file.

Code: Select all

$subject = link_remover($subject);
3) I removed %%SUBJECT%% at the new_ticket.txt template Body (Plain text & HTML)

With this, the user (customer) won't receive any phishing URLS in subject/body. The Admins still need to clean them from the original ticket tho.

This might not be the best solution but it worked on my QA/prod site (I'm really not a programmer. IA site wrote the function for me)

Re: Suggested feature: modify links in Title field to avoid phishing

Posted: Wed Jun 25, 2025 10:16 am
by Klemen
Thanks for sharing the news and your changes to fight such phishing attempts.

Criminals are getting really creative. It's definitely a valid concern that we will address in Hesk.

Re: Suggested feature: modify links in Title field to avoid phishing

Posted: Wed Jun 25, 2025 8:05 pm
by mashin
Thank you very much
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited