Secure Browsing

Phishing Attacks Getting Sneakier with Open Redirects

Phishing, fraudulent messages intended to deceive a recipient into revealing sensitive data or installing malware, was the most common type of cybercrime in 2020. There were 241,324 phishing incidents reported to the FBI in 2020, nearly double the number reported in 2019. That figure is likely to be higher in 2021, since by mid-year volume was 22% higher than for the same period of the previous year. According to Verizon’s Data Breach Investigations Report for 2021, 43% of data breaches involved phishing.

Educated users are generally considered to be the first line of defense against phishing. Most users by now have had basic training on how to protect against phishing attacks – they know not to click on suspicious links – at least theoretically. In fact, 65% of organizations that were penetrated by phishing had conducted anti-phishing training.

Hovering a mouse over links to see if the actual URL goes to the expected site is a basic technique for avoiding malicious links. That is precisely why cybercriminals are increasingly exploiting “open redirects” — using a URL that appears to link to a legitimate site, but sneakily redirects the traffic to a malicious site.

What is an Open Redirect?

Redirects are very common, and very useful. For example, if you enter a URL of a particular bank statement, the bank’s server will redirect you to the login page, and once you’ve logged in, automatically redirect you to the page you initially requested. Redirects are often used for technical reasons, such as when a site is moved to a new domain, or if website pages are changed or websites reorganized and the owner doesn’t want to lose search engine placement.

Redirects are also used for marketing purposes; some companies have multiple domain names for the same content and use redirects to move traffic to the main site. Redirects are also used for ad tracking purposes: A specific ad may contain a unique URL which is redirected to the appropriate page, so marketers can assess how effective each ad is at generating traffic to their site.

“Open redirects” indicates that a website doesn’t place restrictions on redirects. This is a dangerous practice which experienced webmasters should know better than to allow. Websites should be configured to bar redirects to other sites or to require external redirects to be “allow listed.” But not all webmasters are sufficiently knowledgeable or careful, and hackers seek out exploit these sites to do their worst.

When using an open redirect, a hacker embeds the URL of a legitimate website as a link in a phishing email. The legitimate nature of the link is what a security-conscious user will notice – and what reassures them that clicking is safe. Buried in that link, however, is code that redirects the click to a different, malicious website.

How are Open Redirects Being Exploited?

Microsoft recently issued a report regarding a widespread phishing campaign that combines social engineering “bait” with open redirect links to gain access to user credentials.

The way it works is like this: A user receives a phishing email. If they click on the link, they are first brought – redirected, that is — to a phishing page that displays a reCAPTCHA verification, which helps lull them into thinking they are accessing a genuine secure site.  They then get a fake error message which prompts the user to re-enter passwords. The thieves now have the user’s login credentials. Microsoft says they have already seen over 350 unique domains used in this one phishing campaign.

Protecting Against Open Redirect Phishing Attacks

The report from Microsoft states,

Today’s email threats rely on three things to be effective: a convincing social engineering lure, a well-crafted detection evasion technique, and a durable infrastructure to carry out an attack. This phishing campaign exemplifies the perfect storm of these elements in its attempt to steal credentials and ultimately infiltrate a network. And given that 91% of all cyberattacks originate with email, organizations must therefore have a security solution that will provide them multilayered defense against these types of attacks.

It’s never been a good idea to rely on user training alone to protect against phishing attacks. Many studies have shown that even trained users will click through on a sufficiently sophisticated phishing email.

Remote Browser Isolation (RBI) is the best way to protect against phishing attacks, regardless of what mechanisms they use – malware-ridden attachments, malicious links, or credential theft sites. With RBI websites are opened in virtual browsers in remote containers in the cloud. Only safe rendering data is streamed to the browser on the user device: Any malware on the website never reaches the endpoint.

Solutions like Ericom RBI integrate Content Disarm & Reconstruct, which analyzes attachments within the remote container, stripping out malware before enabling files to be downloaded with native functionality intact. Based on data from Ericom’s Threat Intelligence Network, known risky sites and those that are new, suspicious or uncategorized are opened in read-only mode, preventing users from entering credentials in phishing sites, like those used om open redirect-enabled campaigns.

Mendy Newman

Mendy Newman

Group CTO, International | Ericom Software