Master of Disguise 2: The Art of ReDirection

Summary

At RADICL, we’ve recently seen an uptick in threat actors using open redirect vulnerabilities in legitimate websites to hide their phishing links. Over the course of this post, we’ll discuss what an open redirect vulnerability is, some examples of what we’re seeing, and how you can protect yourself and your organization 

What's an Open Redirect Vulnerability?

An open redirect vulnerability, or more formally referred to as CWE-601, is when a website allows a user to construct a URL that causes a redirection to an arbitrary external domain. For example, let’s say there is a website called goodwebsite[.]com. On goodwebsite[.]com, they have several links to a trusted, external vendor trustedvendor[.]com. When a user clicks on this link the resulting URL is hxxps://goodwebsite[.]com/?redirect_url=hxxps://trustedvendor[.]com.

Now in the event that goodwebsite[.]com is susceptible to an open redirect vulnerability, a malicious actor could change the ?redirect_url parameter to something nefarious like hxxps://goodwebsite[.]com/?redirect_url=hxxps://evil[.]com. If a victim were to navigate to this URL they would be redirected to evil[.]com. As one could image this type of vulnerability is adored by phishers because it allows them to mask their evil URL under the guise of a benign URL, making tricking users all the easier. 

Recently Observed Examples

As mentioned in the summary, we have observed several recent campaigns making use of legitimate websites with open redirect campaigns in the wild. Here are several examples: 

1. India Times

1. 1. Link Structure: hxxps://hr[.]economictimes[.]indiatimes[.]cov/etl.php?url=https://hr[.]economictimes[.]indiatimes[.]com/etl.php?url=<EvilUrl>
   2. Commentary: Notice that in this link, the threat actor is making use of a double re-direction (redirecting first to itself and then to the evil URL) to try and mask their presence even further 
      

2. New York Post

1. 1. Link Structure: hxxps://t[.]nypost[.]com/1/e/r?ru=%68%74%74%70s%3a%2f%2f<EvilUrl>
   2. Commentary: It's a pretty straightforward open redirect here, only mildly interesting part is the URL encoding of the HTTPS component of the malicious URL 

1. 1. Link Structure: hxxp://CNBC[.]com@analytic[.]impactia[.]com/AnalyticServer/redirect?eurl=<base64Encoded_badurl> 
   2. Commentary: This is a fun one. The threat actor uses RFC1738 abuse with the CNBC @ bit of the URL (see my Master of Disguise: URL EDITION blog for more details on that). The redirect URL parameter is also base64 encoded (which is required by Impactia), adding an additional layer of obfuscation. 

How Do I Protect Myself from this Sort of Attack? 

1. 1. Teach your users to review the ENTIRE link before clicking. With open redirect vulnerabilities, if they just glance at the link, they will see a trusted domain. Make sure to encourage them to review the entire link to see if there are any tricky evil URLs hiding in a redirect parameter 

1. 1. Most email providers are pretty good at picking out malicious open redirect abuse. Make sure you have your protection enabled!