Just When You Had Your Users Trained

3rd Party Redirect Flaws Can Compromise You

If you are a CISO, there are some days that you just want to cut everyone’s email off. Just when you thought you had your users trained on phishing techniques and how to spot bad links in an email, the bad guys are upping the ante using a combination of phishing and website security flaws to attack your people.

Part of the social engineering / anti-phishing training that most organizations (it should be all, but it isn’t) put their people through encourages people to hover over links in email to verify that the domain the link is taking them to is what they expect. ? That strategy is no longer good enough.

Recently, the email security firm INKY has published a study based on information they have collected through their email security service that indicates two new credential phishing campaigns are currently underway.? ? These campaigns are capitalizing on a security weakness that is latently embedded in many websites. ? This security weakness is known as “Open Redirect” and is documented in the MITRE Common Weakness Enumeration set as CWE-601. ? In the most recent campaign, INKY has seen these flaws exploited within the websites of American Express and Snapchat.

Open redirect is a security vulnerability that occurs when a website fails to validate user input and allows threat actors to manipulate the URLs of recognized and trusted domains to redirect victims to malicious sites. Since the first domain name in the manipulated link is in fact the? original site’s, the link may appear safe to even trained email recipients. ? When that email recipient clicks on the link, the trusted domain acts as a temporary landing page before the victim is redirected to a malicious site.

The following example shows an open redirect link. A surfer sees the link going to a safe site (safe.com) but may not realize this domain will redirect them to a malicious site (malicious.com), which may harvest credentials or distribute malware.

https://safe.com/redirect?url=https://malicious.com

A malicious redirect this blatant would be easy to train users to detect, however a snippet from the actual campaign is a bit harder:

https://click.snapchat[.]com/aVHG?=https://29781.google.com&af_web_dp=https://qx.oyhob.acrssd[.]org. #.aHR0cHME6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzI0MjY4ZTMyLT E2MEmQtNDUxYi1hNTc4LWZhNzg0OTdiZjM4NC1idWWNrZXQvb2Z maWNlMzY1Lmh0bWwjYWNvb3BlckBjcHRsaGVhbHRoLmNvbQ==

Or

https://www.americanexpress[.]com/Tracking?mid=ALE220718AEMLCATENUS120620PM3736&msrc=ALERTS-NOTIF-PLAT&url=https://58a.upwebseo[.]com/ms/aXJAbXdzbM2xhcmVVuZXJneS5jb20=

Perhaps these trusted websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to breach or steal data from the site. However, the victims may lose credentials, data, and possibly money.? ? When victims lose money, that inevitably attracts plaintiffs' attorneys looking for a quick score.? By asserting that the website operator was negligent in allowing this well documented weakness to exist on their site, they will probably find one.? ? I really hate talking to lawyers.

Bottom line for CISOs:

• Teach your users to examine links more carefully, they should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.
• They should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection.

Bottom line for Website developers/operators:

• Prevent this abuse by avoiding the implementation of redirection in the site architecture.
• If the redirection is necessary for commercial reasons, then implement an allow list of approved safe links that will prevent this type of attack.
• Present users with an external redirection? notification that requires user clicks before redirecting to external sites.