Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks

In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, we'll explore how trusted platforms are increasingly being exploited as redirectors, highlighting the risks and the latest trends that users and businesses alike should be aware of.

Abuse of trusted platforms for redirection involves the use of legitimate websites that are cleverly designed to redirect unsuspecting users to unwanted URL destinations.

Why is URL redirection in phishing emails dangerous and effective?

  • Bypassing Security Filters

    Redirection effectively bypasses traditional security measures that scan for known malicious URLs, as the initial link appears safe and originates from a trusted source. Threat actors also employ multiple redirections which makes it harder to track the destination URL.

  • Exploiting User Trust

    The use of trusted domains in phishing attacks increases their likelihood of success, since users are more likely to recognize and trust these domains.

  • Concealing Malicious Intent

    For an average user, it can be challenging to detect redirections. The initial URL may appear genuine, and the transition to the malicious site is often smooth and undetectable.

  • Malicious Payload

In email attacks, redirected sites can lead to malicious payloads such as phishing pages that steals sensitive information or installation of malware onto the user’s device.

 

Emerging Trends:

  1. The Growing Threat of Open Redirect URLs in Email Attacks

We observed a significant rise in phishing campaigns that exploit open redirect vulnerabilities.

What is Open URL Redirection Vulnerability?

According to MITRE CWE-601: URL Redirection to Untrusted Site ('Open Redirect'), an Open Redirect Vulnerability is characterized as follows:

 


Description:

A web application accepts a user-controlled input that specifies a link to an external site and uses that link in a Redirect. This simplifies phishing attacks.

 

This flaw in web applications occurs when users can be redirected to external sites based on unvalidated inputs, potentially leading them to attacker-controlled sites, such as phishing websites.

Below is an example of what an open redirect looks like in a deceptive email campaign:

 

1.0_OpenRedirURL

In this scenario, when a user clicks on the link hxxps://goodsite[.]com/redir[.]php?url=hxxp://badsite[.]com, the following process unfolds:

  • Initial Click: The user initially accesses the ‘goodsite[.]com’ domain, which is a trusted and legitimate website.

  • Triggering the Redirection: The URL contains a query parameter ‘url=http://badsite[.]com’, instructing a redirection to the specified external URL ‘badsite[.]com’.

  • Absence of URL Validation: ‘goodsite[.]com’ doesn’t verify if the external URL specified in the URL parameter is a legitimate and safe destination.

  • Automatic Redirection to an Unsafe Site: Since there’s no validation, the user is automatically redirected from goodsite[.]com to hxxp://badsite[.]com. This site is under the control of attackers and could be harmful.

Attackers are increasingly probing and testing links on trusted platforms that are vulnerable to open redirection. They manipulate URL parameters to redirect users to malicious sites, embedding these links in phishing emails. This enables them to launch phishing attacks and steal user credentials

For additional background and information please refer to previous SpiderLabs research on Open Redirect vulnerabilities as well as a recent article about Google services redirects.

 

1.1 Real-World Email Phishing with Open Redirect link

The email below mimics a multi-factor authentication (MFA) email alert, falsely notifying the recipient of a sign-in attempt that also includes a one-time security code. It features a deceptive link labeled "I didn't try to sign in," exploiting the recipient's instinct to protect their account.

It uses a base URL ‘hxxps[://]www[.]intelliclicktracking[.]net/’, belonging to IntelliClick, a legitimate email and website marketing solutions provider. Despite being a legitimate service, this domain is being exploited by threat actors to carry out phishing attacks via open redirects.

 

1.1A_EmailSample

It has a URL parameter that points to a malicious IPFS site shown highlighted in the image above containing an email address fragment. InterPlanetary File System or IPFS is a distributed, peer-to-peer file sharing system that is increasingly abused in phishing attacks which we discussed in our previous blog.

Here is the redirection chain for the exploited URL which redirects to the appended IPFS URL hosting the fake login form impersonating Webmail.

 

1.1B_RedirectionChain_LandingPage

 

1.2 E-Signature Platforms and Microsoft-themed Image Phishing Campaigns

From Q3-Q4 2023, there has been a rise in phishing campaigns using open redirect tactics, because of an increasing number of image-based attacks impersonating brands like Microsoft and e-signature services such as DocuSign and Adobe Sign. As the name implies, image-based attacks use images to carry malicious links allowing it to bypass text-based security filters. The inclusion of open redirect techniques in image-based phishing attacks makes it harder for standard security systems to detect and prevent these phishing schemes.

  • Adobe Acrobat Sign Image Phishing

1.2A_AdobeAcrobat

 

This image-based phishing campaign mimics an Adobe Acrobat Sign request, using a crafted legitimate Adobe URL (campaign[.]adobe[.]com) with an open redirect to appear legitimate and impersonate Adobe effectively. It uses multiple redirections, initially through the Adobe campaign link. It then redirects through Constant Contact (r20[.]rs6[.]net), a well-known email marketing service, before finally redirecting to the intended landing page.

  • Microsoft Brand Image Phishing

    Here is another image-based email campaign. This time the threat actors are impersonating Microsoft ‘Outlook’ notifications. The attack leverages an open redirect vulnerability in the the MyTheresa domain, a global luxury e-commerce platform to conduct the phishing attack.

1.2B_MicrosoftOutlook

1.3 More platforms abused in Phishing Open Redirects

Below are some examples of platforms abused in Open Redirects:

  • Microsoft.com: Phishers have also abused an open redirect weakness in a phishing campaign that used a Microsoft domain. Such tactics are particularly effective and dangerous due to Microsoft's reputation as a widely recognized and trusted brand. This makes the impersonations more convincing and challenging for users to discern.

 

Phishing_Pic6

  • Government Domains: We also observed open redirect attacks exploiting official government domains, such as the following URL owned by Government Auckland Council:

Phishing_Pic7

  • VK.com: In this sample, VK or VKontakte – a Russian social media and social networking platform.

Phishing_Pic8

  • IndiaTimes.com: IndiaTimes is a news platform popular in India.

Phishing_Pic9

  • Medium.com: Medium is a popular content publishing platform.

Phishing_Pic10

  • Wattpad.com: Wattpad is also a publishing and storytelling platform.

Phishing_Pic11

  • App.link: App.link is a domain operated by Branch, a company specializing in deep linking for mobile applications. Our team observed multiple app.link URLs being exploited in open redirects. Below is a specific phishing URL example from app.link, it shows a deep link subdomain for Strava which is a social-fitness platform for athletes.

Phishing_Pic12

  • Sentieo.com:  In a recent phishing attack, the financial intelligence platform Sentieo.com was abused by exploiting both open redirection and a base href vulnerabilities in their website. This sophisticated tactic exploits the HTML <base> tag, which normally sets a base URL for all document links. Attackers split the phishing link into two parts: the Base href tag containing the hostname, and the Regular href tag (<a href="…">) with the host's path. This method effectively misdirects users to malicious sites while evading detection.

 

Phishing_Pic13

1.1 Marketing and Tracking Platforms

Marketing and tracking platforms including Email Marketing service and Digital marketing providers, are also being leveraged for open redirect attacks since these platforms often use redirects to track clicks and engagement. Here are a few URLs we’ve seen in recent phishing attacks

  • Mailjet - Mjt.lu

Phishing_Pic14

  • emBlue - Embluemail.com

Phishing_Pic15

  • DoubleClick - Doubleclick.net (owned by Google)

Phishing_Pic16

  • Krux - Krxd.net (owned by Salesforce)

Phishing_Pic17

  • Adnxs.com

1.4E_ADNXS

 

1.4 Open redirect exploits for Malware Delivery:

Threat actors also abuse legitimate platforms to redirect users to download malware.

In the example below,an invoice themed email campaign uses a pdf attachment as a lure. Recipients are prompted to click on the PDF, ostensibly to download an invoice. However, instead of getting an invoice, this action leads to the download and execution of JScript files, which in turn will download and execute the WikiLoader malware.

 

1.5A_MalspamSample-1


2. Google Platforms Abused in Phishing Redirection
Threat actors are abusing google domains and embeds them in phishing campaigns to evade detections as they leverage the trust commonly associated with Google services.

  • Google Web Light

Google Web Light is a service provided by Google that is aimed to provide faster browsing on slow internet connections.

Here is an example of how it is being abused to redirect to a phishing site hosted in Cloudflare’s IPFS.


2.A_GoogleWeblightURL

  • Google Notifications

    The domain ‘notifications.google.com’ is a legitimate site owned by Google. It is used to manage and deliver notifications across various Google Services.

    Since Q4 2023, Spiderlabs observed scammers have been exploiting this domain and are sending phishing email campaigns targeting Meta brands including Instagram and Facebook. Detailed insights into one such campaign have been documented on our Spiderlabs blog.

Phishing_Pic21

  • Google Accelerated Mobile Pages

    Google AMP which stands for Accelerated Mobile Pages is an open-source web component framework used for making webpages load faster on mobile devices.

    AMP URLs are now being abused as phishing redirectors like in the figure below. When a user clicks on the link, they will be redirected to the phishing page hosted on repl.co, a webserver hosting service owned by Replit.

Phishing_Pic22

 

3. Search Engine Services as Phishing Redirection Tools

Threat actors are also exploiting search engine platforms as tools to facilitate phishing redirection attacks. Recently, search engines such as Bing and Baidu have been particularly targeted for such abuse.

  • Bing Tracking Link Redirections

    Microsoft's Bing search engine is frequently targeted in phishing attacks through its click tracking URL, 'www.bing.com/ck/a?!p=...'. This tracking URL is embedded in malicious email campaigns, utilizing a 'u=' parameter that contains a base64 encoded URL string directing to a deceptive destination page.

The example below illustrates a phishing redirection chain leveraging Bing that leads users to the phishing landing page hosted on the webhosting platform ‘Glitch.me’.

 

3.A_BingURLChain


  • Baidu Tracking link Redirections

Alongside Bing, we also observed similar instances of search engine tracking link abuse in phishing redirections involving Baidu which is a popular search engine platform in China. Below image shows another multiple redirection chain leading to a fake login page hosted in IPFS.

 

3.B_BaiduURLChain

 

4. LinkedIn Smart Link

Linkedin Smart links is a service that enables engagement and performance tracking of content through a single trackable link. This link can be shared across various channels like emails, messages and chats. However, this legitimate URL feature is now being abused by attackers in phishing attempts as redirectors. Below is an example of a malicious URL that exploits LinkedIn’s Smart Link service, leading users to a credential harvesting page.

4.A_LinkedInSmartLinkURL

 

Conclusion

In summary, the phishing email attack tactics discussed in this blog are just the tip of the iceberg. Threat actors will continue to evolve their methods, leveraging sophisticated tactics like open redirection and exploitation of trusted platforms for malicious redirection. Their primary goal is to evade detection mechanisms and exploit user trust by taking advantage of the trusted platform’s reputation and employing anti-phishing analysis tactics like intricate redirection chains. This underscores the need for continuous vigilance against cyberthreats, as they persistently evolve and present new challenges.

Trustwave MailMarshal provides protection against these phishing campaigns.

Latest SpiderLabs Blogs

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services....

Read More

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy....

Read More

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More