Open Redirects: The Latest and Ugliest Face of Phishing Attacks

Anyone who has been on the Internet for a long time will tell you not to click on any link or messages received from a suspicious or unknown number or email id. 99 times out of 100, such messages are phishing attacks designed to steal a user’s personal, sensitive data or install malware in a user’s device for data theft. There’s no shortage of phishing attacks like spear-phishing, smishing, email phishing, and search engine phishing, among others.

According to a report, the FBI received a total of 2,41,324 phishing incidents in 2020 with adjusted losses to the tune of more than $54 million. This is nearly double what was reported in 2019. This is even though most users are now educated against common phishing attacks.

One of the ways through which you can see that a URL is a phishing link is by hovering the mouse over the link and seeing the actual URL. However, hackers are constantly evolving, and they have managed to exploit this basic check, which is called Open Redirect phishing attacks. Here’s everything you need to know.

Why Are Open Redirects Perfect Disguise for Phishing Attacks?

What makes Open Redirects a perfect disguise for phishing attacks is that most websites commonly use them, famous or otherwise. This is because redirects are very useful as they let website owners move to a new domain without losing the domain authority. Some websites use them for marketing purposes where they create multiple domains with similar content and then employ redirects to direct the traffic to the main website.

You can see here how it’s possible for a hacker worth their salt to exploit redirects to create a covert redirect leading to a website other than the originally intended URL. This is a dangerous flaw that most web admins should not allow in the first place.  A good and reputed website should have proper configurations to restrict unknown redirects or have “allow listed” property in place for external redirects. However, not all webmasters are skillful or careful enough, which leads to hackers exploiting their URL for an open redirect phishing attack.

For example, you might receive an email resembling your binary trading or Bitcoin platform saying you have received a certain amount of profit and to claim it you’ll have to log in to the platform.

The link in the email might look legit to the naked eye but might have a hidden code that will redirect you to a malicious site that “looks” like your trading platform. It’s imperative to check if the website is legit before clicking on any link that requires providing your sensitive personal data, especially those concerning finances. You can do a basic check by inspecting the URL, SSL certificates, and more.

How Are Hackers Exploiting Open Redirects?

When employing an open redirect phishing attack, a hacker will take a legitimate URL of a popular website like banking or e-commerce. They will then embed a malicious code buried deep within the link, which activates when the users click on it. The URL will then take them to a different malicious domain, designed to look like the original website but sends the data to the hacker.

Here’s how it works. The victim receives the phishing email from the hacker with the open redirect URL in it. As they hover their mouse on the link, they are shown the original URL. Blissfully unaware of the malicious code in the link, they click on it.

The user is then redirected to the scam website. To make it look legit, the website will throw up a sign-in error message with a CAPTCHA verification, which assures users that they are on a legit website. They are then asked to log in again because of the error, and that’s how their details land up with the hacker.

While the phishing attack method is quite similar to good old email phishing, the execution of open redirect is what makes it more sophisticated. This is the reason why phishing attacks doubled in number last year compared to the year before.

How to Safeguard Against Open Redirect Phishing Attacks?

Every effective phishing attack has three elements: a social bait, a sophisticated detection evasion technique like open redirect, and a solid infrastructure to carry out the attack. One of the best ways to safeguard against a phishing attack is installing and using powerful Internet security software on your device, be it a tablet, PC, or smartphone.

 This software will continuously monitor the incoming emails or messages to filter out attachments containing malware, phishing sites, and malicious links. Some software also lets users set parameters like block emails or messages from unknown numbers and email IDs.

However, sneaky malware can find its way to your inbox even with the security software in place. Therefore, the next best layer of protection is awareness and education about such attacks. You already know better than to click on suspicious links. If you fall prey to an extremely legit-looking phishing link, look out for red flags like immediate sign-in error prompting you to provide the password again and the likes.

In the end, the best protection against possible phishing attacks is to be careful and avoid opening any email or other communication from unknown numbers. No one is more significant, and no issue is more pressing than your security. Therefore, stick to emails you recognize, and instead of opening links from email, go directly to the intended website.

Back to top button