Clicker Beware: Understanding and preventing open redirect attacks

COMMENTARY: The eye-catching headline declares: “Nespresso Domain Serves Up Steamy Cup of Phish, No Cream or Sugar.” While not a data breach per se, the story’s open redirect vulnerability spills the beans on the extent to which threat actors will go to evade detection and dupe unsuspecting users with covert, under-the-radar phishing tactics.

An open redirect vulnerability lets bad actors misdirect potential targets from legitimate websites to malicious websites. This usually happens when websites or web applications let a user-controlled input forward to another URL.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

For example, in the case of this fictious domain https://goodsite.com, if the user’s server does not invalidate or restrict the URL=parameter, then any threat actor can modify the URL to send users to https://goodsite.com?URL=badsite.com, sending the unsuspecting user to the malicious “badsite.com.” Bad actors exploit these modified URLs for their phishing campaigns.

Open redirect attacks can present themselves in numerous forms. Common ones include:

Basic redirects: The most straightforward form is when the URL parameter gets exploited to redirect users.

Header-based redirects: An attacker exploits the HTTP response headers to manipulate the redirection process. This includes modifying parameters such as “location” and other custom headers to dictate where a user should be redirected.

URL shorteners: Adversaries use popular URL shortener services to point users to a malicious website instead of a legitimate one.

Chain of redirects: Sometimes victims are redirected and guided through multiple legitimate-looking websites before they land on a malicious website.

Redirects in third-party services: Third-party services such as single sign-on and payment gateways may have redirect vulnerabilities that are open for exploitation.

JavaScript redirects: Some websites use a JavaScript function to redirect users to a specific page. If an attacker replaces the existing URL with a malicious one, it can lead to visitors being redirected to phishing URLs.

Why open redirects are popular with scammers

When people go about their routine online activities, whether it's banking, shopping or browsing social media, they put an implicit trust in familiar brand names, domains, and websites. Users blindly assume that recognized brands are safe for interaction. This implicit trust is the reason scammers employ open redirects in phishing and other social engineering campaigns.

Another reason why open redirects are popular with phishers and scammers is because traditional email security tools only inspect direct URLs. Bad actors can also combine open redirects with other vulnerabilities such as server-side request forgery (SSRF) and cross-site scripting (XSS) to bypass security controls and gain unauthorized access to sensitive data. This makes open redirection a versatile tool as it helps cybercriminals increase the potential scale of an attack.

Search engines like Google also index redirects in their search results, making them an ideal candidate for SEO poisoning campaigns, along with keyword stuffing, hidden text, and link spamming, which involves creating excessive, low-quality backlinks to a website to artificially boost search rankings.

Open redirects can have security implications for victim organizations including:

Identity and credential theft: As seen in the Nespresso example, victims were redirected to a Microsoft login page where the intention was to capture the victim’s credentials. Attackers can leverage these acquired credentials to either infiltrate organizations or to hijack the victim’s mailbox, online profiles or identities.

Malware and ransomware: An open redirect can lead users to a malicious website or a URL that could install malicious software such as infostealers, trojan horses, or ransomware beacon payloads.

Data theft and financial loss: If victims are redirected to a phishing page and they reveal personal and business data, or banking and financial details, then they (or their employer) can suffer financial losses.

Loss of trust and reputation: If website visitors realize they have been misled or defrauded, they will lose trust in the business.

Tips for defending against open redirect attacks

Here are four steps security teams can take to ward-off open redirect attacks:

Education and training: Open redirect attacks happen because users blindly trust brand names and their website URLs. Organizations must run awareness programs that teach users to watch for URL=parameters, to stay wary of URLs and inspect them closely before clicking.

URL whitelisting: Adopt a whitelist approach that allows only trusted domains and URLs.

Advanced security: Use advanced email security gateways that can detect the presence of open redirects in emails and inspect for open redirect vulnerabilities in website and application code.

Implement safe redirection rules: If a website or web application has redirection enabled, ensure that the company has strict rules in place that allow redirections to only trusted domains. Adopt best practices for safe redirection like 301 and 302 “redirects” instead of “meta-refresh” or “location.replace()”

Not all cyberattacks are the handiwork of highly sophisticated threat actors using hyper-advanced techniques. Some of the most profound cyberattacks occur from the simplest actions, such as someone responding to a phishing email, downloading a malicious attachment, using weak passwords, or blindly trusting a website URL. By adopting security best practices and training employees appropriately, organizations can become more resilient to phishing scams and attacks like open redirects.

Stu Sjouwerman, founder and CEO, KnowBe4

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.