Network News

X My Profile
View More Activity

Study: Site Redirects Abundant, Aid Phishers

An examination of nearly 2.5 million Web pages at some of the Internet's most popular and trusted sites turned up at least 128,000 links that could be manipulated by fraudsters and virus writers to make online scams more believable, a study released this month found.

Scammers and phishers are taking advantage of commonly used coding used in "redirects" to divert traffic from reputable Web site to sites that could harbor malicious software or phishing schemes.

Redirects aren't all bad. In essence, they are Web links that are used to forward traffic from one site to another. They can be useful when Web site owners want to move content around and don't want old links leading to dead pages. Redirects can help selectively re-route traffic: For instance, www.example.com may want to forward any requests for a specific Web page to a third-party site. In addition, well-known companies use redirects to forward traffic from site names they own that include common misspellings of their brand name.

But redirects can be abused when Web sites that employ them leave them "open," or permit them to forward traffic to any site on the Internet. Phishers and virus writers constantly seek out these kinds of security vulnerabilities in trusted Web sites, because the bad guys know people are more likely to click on a link if they believe it will take them to a site they know and trust.

Understanding how redirects can be abused is often easier shown than explained. For example, I altered this link -- found at About.com and originally used to help site visitors locate content that had moved to another portion of About.com -- so that it instead brings you right back here to Security Fix. As does this redirect at Web ad giant ATDMT, this page at MacDailyNews, and this link from the National Sex Offender registry.

(By hovering over a link -- or by right-clicking on one of these links, selecting "Copy Shortcut," and pasting the URL into another Web browser -- you can see how it was formatted to take you from one Web site to where I wanted it to go.)

Researchers at Indiana University sought to find out just how many open redirects are now out there by building a computer program that crawled tens of thousands of the most-visited sites, using sophisticated formulas to automatically discover when sites were running open redirects.

Indiana Ph.D student Craig Shue said he and his fellow researchers were surprised by the number of high-profile Web sites with open redirects, particularly since they are not difficult to identify or fix.

"When someone else can manipulate your redirect and craft a link however they want, that can really hurt your brand. If you're eBay and you have an open redirect in your site, that makes it really easy for a phisher to incorporate the actual eBay site," in a link that ultimately forwards people to a counterfeit eBay page, Shue said.

A redirect link at eBay.com that a Phishtank user spotted in an e-mail (above) leads to a fake eBay site (below)

In fact, the screen shot to the right of a Phishtank.com writeup shows a portion of a link leading to a live eBay phishing site that uses an open redirect on the auction giant's site. Interestingly, this phishing site has been live nearly six weeks now: Note the Jun. 5th submission date (I took that screenshot of the phishing site last night). Another recent Phishtank submission shows an open redirect on AOL.com.

Redirects are nothing new. Indeed, some of the Internet's biggest Web sites -- particularly Google -- used to host large numbers of open redirects. But as the Indiana study shows, open redirects remain very easy to find and exploit.

It's important to note that the researchers' bots found 128,000 open redirects just using regular HTML code. They didn't bother trying to craft links that used sneakier or more advanced methods -- such as Javascript or complex URL encoding -- which would have no doubt drastically expanded the number of open redirects uncovered.

Shue will present the Indiana University study at the USENIX Workshop on Offensive Technologies (WOOT) later this month in San Jose, Calif. The paper is available from this link here (PDF).

By Brian Krebs  |  July 16, 2008; 4:35 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Zone Alarm Update Fixes Microsoft Patch Problem
Next: Firefox 3 Follows IE7's Security Settings

Comments

Shame on you Brian! Now everyone will be trying to redirect to their own malicious phishing site. It'll be anarchy! I can't believe how irresponsible you are...

Just kidding of course. Thanks (again) for the information.

Posted by: rvs | July 16, 2008 5:34 PM | Report abuse

And this one is from Google:
http://images.google.com/imgres?imgurl=http://image.guardian.co.uk/sys-images/Film/Pix/pictures/2007/11/14/beowulf380.jpg&imgrefurl=http://blog.washingtonpost.com/securityfix/2008/07/study_site_redirects_abundant_1.html&h=276&w=380&sz=38&hl=en&start=8&um=1

Should redirect to this page.

The page is displayed within a frame, but using simple JavaScript code, malicious sites can easily get rid of this frame.

Posted by: Denis | July 16, 2008 5:58 PM | Report abuse

Thanks Brian.

Posted by: brucerealtor | July 16, 2008 11:20 PM | Report abuse

Damn, Brian! When do you have a chance to have a life? You are constantly uncovering and blogging about stuff like this, and I read about it every day. Are you 24/7 or what? Anyway, thanks!

Posted by: Pete from Arlington | July 17, 2008 10:25 AM | Report abuse

I posted a link to your very interesting post at my PCI blog: http://treasuryinstitute.org/blog/index.php?itemid=157

Posted by: W Conway | July 17, 2008 12:32 PM | Report abuse

This is one of many technical tricks bad guys can play with URLs. For more see
http://michaelhorowitz.com/linksthatlie.html#urltricks

Posted by: Michael Horowitz | July 17, 2008 9:43 PM | Report abuse

lfrei rpagvd sofncw erkv
http://fasderas.angelfire.com/sex8563.html sex

Posted by: sex | July 27, 2008 8:39 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company