Kroll’s Cyber Threat Intelligence (CTI) team has been tracking an uptick in phishing campaigns utilizing open redirects. Open redirects are vulnerabilities commonly found on websites that allow for the manipulation of legitimate URLs, which actors can leverage to redirect users to arbitrary external URLs. They occur when a website allows for user-supplied input as part of a URL parameter in a redirect link, without proper validation or sanitization. This vulnerability can be exploited by an attacker to craft a malicious URL that appears legitimate but redirects the user to a different, potentially harmful website.
While by no means a new tactic, there has been a noticeable increase in threat actors abusing open redirects for phishing attacks in Q2 2023. Threat actors have recently been seen targeting the financial and professional services sectors with these attacks, having previously cast a wider net by targeting multiple industries. When targeting the professional and financial services sectors, a threat actor will typically send a phishing email containing a seemingly benign link to political or news websites.
By crafting a deceptive URL that leverages a trustworthy website, malicious actors can more easily manipulate users into clicking the link, as well as deceiving/bypassing network technology that scans links for malicious content. This results in a victim being redirected to a malicious site designed to steal sensitive information, such as login credentials, credit card details or personal data.
Breaking Down Open Redirect URLs
The section highlighted in green is the standard website URL. The vulnerable section, shown in yellow, allows any user to type a redirect link after the “URL” parameter. In a campaign observed by Kroll, threat actors used an open redirect as part of an email marketing campaign running on a legitimate website. The section in red is the parameter that redirects the user to a malicious site.
Anatomy of an open redirect link
This URL redirected the victim to a customized phishing page designed to capture credentials. In a subset of such cases, the redirect link can leverage services such as the Cloudflare CAPTCHA tool to hinder automated analysis of the link. Geo-blocking, which restricts access to a website by location, was also implemented to ensure that targets could only connect within certain geographies.
While examining one of the redirect links, Kroll observed a large number of submissions to VirusTotal, dating back to the beginning of May.
VirusTotal graph of phishing links connected to a malicious domain
DocuSign Email Lures Harness Open Redirects
In other widespread campaigns , the Kroll CTI team has observed similar “DocuSign” email lures containing multiple redirect paths before a phishing page and appearing to share a similar phishing kit to achieve credential capture. In the most recent campaigns using this approach, it appeared that the threat actors were not targeting a specific industry or geography. Similar to the example above, , many of the phishing emails in this campaign used Cloudflare to hinder analysis of the links within the emails through the use of automated tooling.
Example Phishing Lures
The threat actor leverages a phishing kit that can alter the phishing landing page on the fly, based on arguments passed to it from the redirect links followed in the original phishing email. These parameters are often base64 encoded and can include elements such as the organization’s logo, the email and name of the target user.
Recommendations
Threat actors continue to refine their social engineering strategies in order to execute more effective phishing campaigns. By manipulating seemingly benign links, users are more likely to blindly trust the URL and click it. This technique also serves as a potent defense evasion strategy; while Kroll observes active blocking from more advanced in-line email defense technologies, campaigns such as this still make their way through more basic defensive tools and spam filters. In order to prevent these threat actors from leveraging this method to gain access to your network, we provide the following guidance:
- Provide regular cybersecurity training sessions to educate all employees on the latest social engineering techniques and the risks associated with opening suspicious emails, downloading attachments or clicking on unknown links.
- Ensure users have a way to report potential threats. Provide a method of reporting phishing emails to administrators, IT or cybersecurity teams.
- While the campaigns observed by Kroll used email as the attack vector, it is important to note that this technique can be used in a number of ways, including links in social media posts and on forums. Ensure these can be recognized and proper caution is taken.
- Establish email security tools that can detect and block open redirect links in emails.