Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks

In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, we'll explore how trusted platforms are increasingly being exploited as redirectors, highlighting the risks and the latest trends that users and businesses alike should be aware of.

Abuse of trusted platforms for redirection involves the use of legitimate websites that are cleverly designed to redirect unsuspecting users to unwanted URL destinations.

Why is URL redirection in phishing emails dangerous and effective?

• Bypassing Security Filters

  Redirection effectively bypasses traditional security measures that scan for known malicious URLs, as the initial link appears safe and originates from a trusted source. Threat actors also employ multiple redirections which makes it harder to track the destination URL.
  
  

• Exploiting User Trust

  The use of trusted domains in phishing attacks increases their likelihood of success, since users are more likely to recognize and trust these domains.
  
  

• Concealing Malicious Intent
  

  For an average user, it can be challenging to detect redirections. The initial URL may appear genuine, and the transition to the malicious site is often smooth and undetectable.
  
  

• Malicious Payload

In email attacks, redirected sites can lead to malicious payloads such as phishing pages that steals sensitive information or installation of malware onto the user’s device.

Emerging Trends:

1. The Growing Threat of Open Redirect URLs in Email Attacks

We observed a significant rise in phishing campaigns that exploit open redirect vulnerabilities.

What is Open URL Redirection Vulnerability?

According to MITRE CWE-601: URL Redirection to Untrusted Site ('Open Redirect'), an Open Redirect Vulnerability is characterized as follows:

This flaw in web applications occurs when users can be redirected to external sites based on unvalidated inputs, potentially leading them to attacker-controlled sites, such as phishing websites.

Below is an example of what an open redirect looks like in a deceptive email campaign:

In this scenario, when a user clicks on the link hxxps://goodsite[.]com/redir[.]php?url=hxxp://badsite[.]com, the following process unfolds:

• Initial Click: The user initially accesses the ‘goodsite[.]com’ domain, which is a trusted and legitimate website.
  
  
• Triggering the Redirection: The URL contains a query parameter ‘url=http://badsite[.]com’, instructing a redirection to the specified external URL ‘badsite[.]com’.
  
  
• Absence of URL Validation: ‘goodsite[.]com’ doesn’t verify if the external URL specified in the URL parameter is a legitimate and safe destination.
  
  
• Automatic Redirection to an Unsafe Site: Since there’s no validation, the user is automatically redirected from goodsite[.]com to hxxp://badsite[.]com. This site is under the control of attackers and could be harmful.
  
  

Attackers are increasingly probing and testing links on trusted platforms that are vulnerable to open redirection. They manipulate URL parameters to redirect users to malicious sites, embedding these links in phishing emails. This enables them to launch phishing attacks and steal user credentials

For additional background and information please refer to previous SpiderLabs research on Open Redirect vulnerabilities as well as a recent article about Google services redirects.

1.1 Real-World Email Phishing with Open Redirect link

The email below mimics a multi-factor authentication (MFA) email alert, falsely notifying the recipient of a sign-in attempt that also includes a one-time security code. It features a deceptive link labeled "I didn't try to sign in," exploiting the recipient's instinct to protect their account.

It uses a base URL ‘hxxps[://]www[.]intelliclicktracking[.]net/’, belonging to IntelliClick, a legitimate email and website marketing solutions provider. Despite being a legitimate service, this domain is being exploited by threat actors to carry out phishing attacks via open redirects.

It has a URL parameter that points to a malicious IPFS site shown highlighted in the image above containing an email address fragment. InterPlanetary File System or IPFS is a distributed, peer-to-peer file sharing system that is increasingly abused in phishing attacks which we discussed in our previous blog.

Here is the redirection chain for the exploited URL which redirects to the appended IPFS URL hosting the fake login form impersonating Webmail.

1.2 E-Signature Platforms and Microsoft-themed Image Phishing Campaigns

From Q3-Q4 2023, there has been a rise in phishing campaigns using open redirect tactics, because of an increasing number of image-based attacks impersonating brands like Microsoft and e-signature services such as DocuSign and Adobe Sign. As the name implies, image-based attacks use images to carry malicious links allowing it to bypass text-based security filters. The inclusion of open redirect techniques in image-based phishing attacks makes it harder for standard security systems to detect and prevent these phishing schemes.

• Adobe Acrobat Sign Image Phishing

This image-based phishing campaign mimics an Adobe Acrobat Sign request, using a crafted legitimate Adobe URL (campaign[.]adobe[.]com) with an open redirect to appear legitimate and impersonate Adobe effectively. It uses multiple redirections, initially through the Adobe campaign link. It then redirects through Constant Contact (r20[.]rs6[.]net), a well-known email marketing service, before finally redirecting to the intended landing page.

• Microsoft Brand Image Phishing
  
  Here is another image-based email campaign. This time the threat actors are impersonating Microsoft ‘Outlook’ notifications. The attack leverages an open redirect vulnerability in the the MyTheresa domain, a global luxury e-commerce platform to conduct the phishing attack.

1.3 More platforms abused in Phishing Open Redirects

Below are some examples of platforms abused in Open Redirects:

• Microsoft.com: Phishers have also abused an open redirect weakness in a phishing campaign that used a Microsoft domain. Such tactics are particularly effective and dangerous due to Microsoft's reputation as a widely recognized and trusted brand. This makes the impersonations more convincing and challenging for users to discern.

• Government Domains: We also observed open redirect attacks exploiting official government domains, such as the following URL owned by Government Auckland Council:

• VK.com: In this sample, VK or VKontakte – a Russian social media and social networking platform.

• IndiaTimes.com: IndiaTimes is a news platform popular in India.

• Medium.com: Medium is a popular content publishing platform.

• Wattpad.com: Wattpad is also a publishing and storytelling platform.

• App.link: App.link is a domain operated by Branch, a company specializing in deep linking for mobile applications. Our team observed multiple app.link URLs being exploited in open redirects. Below is a specific phishing URL example from app.link, it shows a deep link subdomain for Strava which is a social-fitness platform for athletes.

• Sentieo.com:  In a recent phishing attack, the financial intelligence platform Sentieo.com was abused by exploiting both open redirection and a base href vulnerabilities in their website. This sophisticated tactic exploits the HTML <base> tag, which normally sets a base URL for all document links. Attackers split the phishing link into two parts: the Base href tag containing the hostname, and the Regular href tag (<a href="…">) with the host's path. This method effectively misdirects users to malicious sites while evading detection.

1.1 Marketing and Tracking Platforms

Marketing and tracking platforms including Email Marketing service and Digital marketing providers, are also being leveraged for open redirect attacks since these platforms often use redirects to track clicks and engagement. Here are a few URLs we’ve seen in recent phishing attacks

• Mailjet - Mjt.lu

• emBlue - Embluemail.com

• DoubleClick - Doubleclick.net (owned by Google)

• Krux - Krxd.net (owned by Salesforce)

• Adnxs.com

1.4 Open redirect exploits for Malware Delivery:

Threat actors also abuse legitimate platforms to redirect users to download malware.

In the example below,an invoice themed email campaign uses a pdf attachment as a lure. Recipients are prompted to click on the PDF, ostensibly to download an invoice. However, instead of getting an invoice, this action leads to the download and execution of JScript files, which in turn will download and execute the WikiLoader malware.

2. Google Platforms Abused in Phishing Redirection
Threat actors are abusing google domains and embeds them in phishing campaigns to evade detections as they leverage the trust commonly associated with Google services.

• Google Web Light
  

Google Web Light is a service provided by Google that is aimed to provide faster browsing on slow internet connections.

Here is an example of how it is being abused to redirect to a phishing site hosted in Cloudflare’s IPFS.

• Google Notifications
  
  The domain ‘notifications.google.com’ is a legitimate site owned by Google. It is used to manage and deliver notifications across various Google Services.
  
  Since Q4 2023, Spiderlabs observed scammers have been exploiting this domain and are sending phishing email campaigns targeting Meta brands including Instagram and Facebook. Detailed insights into one such campaign have been documented on our Spiderlabs blog.
  

• Google Accelerated Mobile Pages
  
  Google AMP which stands for Accelerated Mobile Pages is an open-source web component framework used for making webpages load faster on mobile devices.
  
  AMP URLs are now being abused as phishing redirectors like in the figure below. When a user clicks on the link, they will be redirected to the phishing page hosted on repl.co, a webserver hosting service owned by Replit.

3. Search Engine Services as Phishing Redirection Tools

Threat actors are also exploiting search engine platforms as tools to facilitate phishing redirection attacks. Recently, search engines such as Bing and Baidu have been particularly targeted for such abuse.

• Bing Tracking Link Redirections
  
  Microsoft's Bing search engine is frequently targeted in phishing attacks through its click tracking URL, 'www.bing.com/ck/a?!p=...'. This tracking URL is embedded in malicious email campaigns, utilizing a 'u=' parameter that contains a base64 encoded URL string directing to a deceptive destination page.

The example below illustrates a phishing redirection chain leveraging Bing that leads users to the phishing landing page hosted on the webhosting platform ‘Glitch.me’.

• Baidu Tracking link Redirections

Alongside Bing, we also observed similar instances of search engine tracking link abuse in phishing redirections involving Baidu which is a popular search engine platform in China. Below image shows another multiple redirection chain leading to a fake login page hosted in IPFS.

4. LinkedIn Smart Link

Linkedin Smart links is a service that enables engagement and performance tracking of content through a single trackable link. This link can be shared across various channels like emails, messages and chats. However, this legitimate URL feature is now being abused by attackers in phishing attempts as redirectors. Below is an example of a malicious URL that exploits LinkedIn’s Smart Link service, leading users to a credential harvesting page.

Conclusion

In summary, the phishing email attack tactics discussed in this blog are just the tip of the iceberg. Threat actors will continue to evolve their methods, leveraging sophisticated tactics like open redirection and exploitation of trusted platforms for malicious redirection. Their primary goal is to evade detection mechanisms and exploit user trust by taking advantage of the trusted platform’s reputation and employing anti-phishing analysis tactics like intricate redirection chains. This underscores the need for continuous vigilance against cyberthreats, as they persistently evolve and present new challenges.

Trustwave MailMarshal provides protection against these phishing campaigns.