Users who normally only download files only from trusted websites can now be tricked by a new type of Web vulnerability: this one cons them into downloading reverse payload executable files that are not actually hosted on the website for which they first thought.
This attack has been name reflected file download (RFD) and is similar to reflected cross-site scripting (XSS) attacks where users are tricked into clicking on specifically crafted link to legitimate sites that force their browsers to execute rogue code contained in the URLs themselves
In the case of RFD, the victim’s browser does not execute code, but offers a file for download with an executable extension like .bat or .cmd that contains shell commands or script files like JS, VBS, WSH that will be executed through the Windows-based script host (Wscript.exe). The contents of the file are passed through the attacker-generated URL that the user clicks on, the website reflecting the input back to the browser as a file download.
This enables convincing social engineering attacks because despite it not physically being hosted on the targeted website, the file still appears to originate from it. Users would still have to approve the download and execute the file themselves,however this wouldn’t be hard for the attacker to convince them to do it.
For example, a spoofed email from a bank asking users to download and install a new security product that protects their banking sessions could be very convincing if the included download link pointed back at the bank’s real website — and that’s exactly what RFD vulnerabilities allow for.