Leverage common URL redirection methods to create effective phishing attacks
“Simple” can often be more difficult than “complex”. When you think of the more sensitive phishing campaigns and their components, URL forwarding doesn’t immediately come to mind as the cause of the problem. However, URL forwarding is a method that is often abused by cyber criminals to create multi-layered phishing attacks. Why? The short answer is three E’s: easy, elusive, and elusive (to the eye).
URL redirection for malicious purposes
URL redirection is the process of moving web users from the originally requested URL to a completely different URL. Internet users encounter URL redirects every day, sometimes without noticing it: by clicking on a shortened link to read the news, by being redirected from one site to another to buy or pay for an advertised product, etc. has become a part of our daily life online that phishers are not afraid to exploit for their own ends.
Let’s take a look at examples of three phishing attacks, all of which URL redirection plays a vital role:
This type of attack is not very common, as it consists of a large number of components:
- An email with an attachment
- URL encoded phishing redirect in HTML file exploits set-timeout method
- The phishing landing page
Imagine receiving a strange email from your corporate IT administrator asking you to update something. The email is blank, apparently sent internally (the sender is spoofed), and contains an “UPDATE.htm” attachment.
When checking the source code of the file page, we can see an encoded script that when decoded shows the phishing URL of the webpage the recipient would be redirected to after a few milliseconds of delay (setTimeout method) .
The setTimeout () method is used to execute a function only once after a specified number of milliseconds. For example, if this file is opened in a browser, the setTimeout method performs the redirect and redirects the victim to an Office365-themed phishing landing page after 5 milliseconds.
# 2. Phishing emails delivered using Adobe open redirects
The second example also uses a corporate IT admin as a cover, but in this case it is clear that the phishing email is sent from a compromised Japanese mailbox [email protected] which is not not associated with the target organization or Microsoft Office. 365. Recipients are notified that their Office 365 password expires on that day, are informed that they must change it or continue to use the current password, and are pushed to an easy choice: by clicking on “Keep it”. Current Password ” :
Once they do, the targets will land on a fake Office 365 login page hosted on the r-im[.]xyz, after being redirected through the Adobe hosting URL.
Misuse of Adobe’s open redirect services (t-info.mail.adobe.com) adds legitimacy to the URL and increases the chances that the email will escape detection. These are the main reasons why open redirects from highly trusted companies (Adobe, Google, Samsung) are so popular among phishers.
# 3. Shortened URLs that hide phishing login pages
URL shortening services – such as bit.ly, cutt.ly, t.co, and others – are actively used by attackers to hide URLs and direct targets to a malicious page.
A recently observed attack used cutt.ly to cover up a phished Netflix login page. What we see below is an email, purportedly sent by Netflix support, asking the recipient of the email to “restart subscription”:
The “Restart Subscription” button opens a spoofed Netflix login page, including the URL (https: //www.propertyoptionsdevelopments[.]com / netflx20 /) was shortened via cut.ly (https: // cutt[.]ly / ajKQ2We). Email was sent from
Bottom line: don’t underestimate URL redirection. Be extremely careful before opening a link from an unsolicited email, especially when you are not 100% sure where that link will take you.