The Risk of Redirector Domains in Phishing Attacks

domain phishing attackResearchers at GreatHorn warn that a large-scale phishing campaign is using open redirects to evade email security filters. Open redirects allow attackers to take a URL from a non-malicious website and tack on a redirect, so that when the link is clicked it will take the user to a phishing page. This results in a phishing link that can fool both humans and technology. A human may inspect the URL and conclude that it will take them to a legitimate site, while security filters will struggle to flag the link as malicious.

“The Threat Intelligence Team described this campaign as a ‘comprehensive and multi-pronged attack,’ with multiple hosting services and web servers being used to host fraudulent Office 365 login pages,” the researchers write. “Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.”

Based on similarities in the phishing emails and malicious sites, GreatHorn believes a single actor is behind the campaign.

“The URLs in the phishing emails sent to users vary,” the researchers write. “Some employ redirects; others point directly at the phishing kit pages. The phishing kit itself uses the same naming structure in nearly all cases: http://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.”

The phishing pages are designed to steal credentials, but they also contain JavaScript that will install malware on the victim’s computer.

“The phishing webpages impersonate a Microsoft Office 365 login, using the Microsoft logo and requesting that users enter their password, verify their account, or sign-in,” GreatHorn says. “Given this campaign’s breadth and highly targeted nature, the sophistication and complexity suggest that the attackers’ significant coordinated effort is underway. Additionally, GreatHorn’s Threat Research Intelligence Team identified attempts to deploy the Cryxos trojan on multiple browsers, including Chrome and Safari.”

New-school security awareness training can prepare your employees to identify and thwart phishing emails that bypass your technical defenses.

GreatHorn has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews