Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks

In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, we’ll explore how trusted platforms are increasingly being exploited as redirectors, highlighting the risks and the latest trends that users and businesses alike should be aware of.
在这种不断发展的网络威胁环境中，电子邮件已成为网络钓鱼攻击的主要目标。网络犯罪分子不断适应并采用更复杂的方法来有效地欺骗用户并绕过检测措施。当今最流行的策略之一是利用合法平台通过欺骗性链接进行重定向。在这篇博文中，我们将探讨可信平台如何越来越多地被用作重定向器，重点介绍用户和企业都应该注意的风险和最新趋势。

Abuse of trusted platforms for redirection involves the use of legitimate websites that are cleverly designed to redirect unsuspecting users to unwanted URL destinations.
滥用受信任的平台进行重定向涉及使用合法网站，这些网站经过巧妙设计，可将毫无戒心的用户重定向到不需要的 URL 目标。

Why is URL redirection in phishing emails dangerous and effective?
为什么网络钓鱼电子邮件中的 URL 重定向既危险又有效？

• Bypassing Security Filters
  绕过安全过滤器

  Redirection effectively bypasses traditional security measures that scan for known malicious URLs, as the initial link appears safe and originates from a trusted source. Threat actors also employ multiple redirections which makes it harder to track the destination URL.
  重定向有效地绕过了扫描已知恶意 URL 的传统安全措施，因为初始链接看起来很安全并且来自受信任的来源。威胁参与者还使用多个重定向，这使得跟踪目标 URL 变得更加困难。
  
  

• Exploiting User Trust 利用用户信任

  The use of trusted domains in phishing attacks increases their likelihood of success, since users are more likely to recognize and trust these domains.
  在网络钓鱼攻击中使用受信任的域会增加其成功的可能性，因为用户更有可能识别和信任这些域。
  
  

• Concealing Malicious Intent
  隐瞒恶意意图
  

  For an average user, it can be challenging to detect redirections. The initial URL may appear genuine, and the transition to the malicious site is often smooth and undetectable.
  对于普通用户来说，检测重定向可能具有挑战性。初始 URL 可能看起来是真实的，并且向恶意站点的过渡通常很顺利且无法检测到。
  
  

• Malicious Payload 恶意负载

In email attacks, redirected sites can lead to malicious payloads such as phishing pages that steals sensitive information or installation of malware onto the user’s device.
在电子邮件攻击中，重定向的站点可能会导致恶意负载，例如窃取敏感信息的网络钓鱼页面或在用户设备上安装恶意软件。

Emerging Trends: 新兴趋势：

1. The Growing Threat of Open Redirect URLs in Email Attacks
   电子邮件攻击中开放重定向 URL 的威胁日益增加

We observed a significant rise in phishing campaigns that exploit open redirect vulnerabilities.
我们观察到利用开放重定向漏洞的网络钓鱼活动显着增加。

What is Open URL Redirection Vulnerability?
什么是 Open URL 重定向漏洞？

According to MITRE CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’), an Open Redirect Vulnerability is characterized as follows:
根据 MITRE CWE-601：URL 重定向到不受信任的站点（“开放重定向”），开放重定向漏洞的特征如下：

This flaw in web applications occurs when users can be redirected to external sites based on unvalidated inputs, potentially leading them to attacker-controlled sites, such as phishing websites.
当用户可以根据未经验证的输入重定向到外部站点时，就会发生 Web 应用程序中的此缺陷，从而可能将他们引导至攻击者控制的站点，例如网络钓鱼网站。

Below is an example of what an open redirect looks like in a deceptive email campaign:
以下是开放式重定向在欺骗性电子邮件活动中的样子示例：

In this scenario, when a user clicks on the link hxxps://goodsite[.]com/redir[.]php?url=hxxp://badsite[.]com, the following process unfolds:
在此方案中，当用户单击链接 hxxps://goodsite[.]com/redir[.]php？url=hxxp：//badsite[.]com，则展开以下过程：

• Initial Click: The user initially accesses the ‘goodsite[.]com’ domain, which is a trusted and legitimate website.
  初始点击：用户最初访问“goodsite[.]com“域名，这是一个受信任且合法的网站。
  
  
• Triggering the Redirection: The URL contains a query parameter ‘url=http://badsite[.]com’, instructing a redirection to the specified external URL ‘badsite[.]com’.
  触发重定向：URL 包含查询参数 ‘url=http：//badsite[.]com“，指示重定向到指定的外部 URL ”badsite[.]com’。
  
  
• Absence of URL Validation: ‘goodsite[.]com’ doesn’t verify if the external URL specified in the URL parameter is a legitimate and safe destination.
  缺少 URL 验证：’goodsite[.]com’ 不会验证 URL 参数中指定的外部 URL 是否为合法且安全的目标。
  
  
• Automatic Redirection to an Unsafe Site: Since there’s no validation, the user is automatically redirected from goodsite[.]com to hxxp://badsite[.]com. This site is under the control of attackers and could be harmful.
  自动重定向到不安全的站点：由于没有验证，因此会自动将用户从 goodsite[.] 重定向到com 到 hxxp://badsite[.]com。此站点处于攻击者的控制之下，可能是有害的。
  
  

Attackers are increasingly probing and testing links on trusted platforms that are vulnerable to open redirection. They manipulate URL parameters to redirect users to malicious sites, embedding these links in phishing emails. This enables them to launch phishing attacks and steal user credentials
攻击者越来越多地在易受开放重定向的受信任平台上探测和测试链接。他们操纵 URL 参数将用户重定向到恶意网站，将这些链接嵌入到网络钓鱼电子邮件中。这使他们能够发起网络钓鱼攻击并窃取用户凭据

For additional background and information please refer to previous SpiderLabs research on Open Redirect vulnerabilities as well as a recent article about Google services redirects.
有关其他背景和信息，请参阅之前 SpiderLabs 对开放重定向漏洞的研究，以及最近一篇关于 Google 服务重定向的文章。

1.1 Real-World Email Phishing with Open Redirect link
1.1 具有开放重定向链接的真实电子邮件网络钓鱼

The email below mimics a multi-factor authentication (MFA) email alert, falsely notifying the recipient of a sign-in attempt that also includes a one-time security code. It features a deceptive link labeled “I didn’t try to sign in,” exploiting the recipient’s instinct to protect their account.
下面的电子邮件模拟多重身份验证 （MFA） 电子邮件警报，错误地通知收件人登录尝试，其中还包括一次性安全代码。它有一个标有“我没有尝试登录”的欺骗性链接，利用收件人的本能来保护他们的帐户。

It uses a base URL ‘hxxps[://]www[.]intelliclicktracking[.]net/’, belonging to IntelliClick, a legitimate email and website marketing solutions provider. Despite being a legitimate service, this domain is being exploited by threat actors to carry out phishing attacks via open redirects.
它使用基 URL ‘hxxps[：//]www[.]intelliclicktracking[.]net/’，属于合法的电子邮件和网站营销解决方案提供商 IntelliClick。尽管是一项合法服务，但威胁行为者正在利用该域通过开放重定向进行网络钓鱼攻击。

It has a URL parameter that points to a malicious IPFS site shown highlighted in the image above containing an email address fragment. InterPlanetary File System or IPFS is a distributed, peer-to-peer file sharing system that is increasingly abused in phishing attacks which we discussed in our previous blog.
它有一个 URL 参数，该参数指向上图中突出显示的恶意 IPFS 站点，其中包含电子邮件地址片段。星际文件系统（IPFS）是一种分布式的点对点文件共享系统，在网络钓鱼攻击中越来越多地被滥用，我们在之前的博客中对此进行了讨论。

Here is the redirection chain for the exploited URL which redirects to the appended IPFS URL hosting the fake login form impersonating Webmail.
这是被利用的 URL 的重定向链，该链接重定向到托管冒充 Webmail 的虚假登录表单的附加 IPFS URL。

1.2 E-Signature Platforms and Microsoft-themed Image Phishing Campaigns
1.2 电子签名平台和 Microsoft 主题的图像网络钓鱼活动

From Q3-Q4 2023, there has been a rise in phishing campaigns using open redirect tactics, because of an increasing number of image-based attacks impersonating brands like Microsoft and e-signature services such as DocuSign and Adobe Sign. As the name implies, image-based attacks use images to carry malicious links allowing it to bypass text-based security filters. The inclusion of open redirect techniques in image-based phishing attacks makes it harder for standard security systems to detect and prevent these phishing schemes.
从 2023 年第 3 季度到第 4 季度，由于冒充 Microsoft 等品牌以及 DocuSign 和 Adobe Sign 等电子签名服务的基于图像的攻击越来越多，使用开放重定向策略的网络钓鱼活动有所增加。顾名思义，基于图像的攻击使用图像携带恶意链接，从而绕过基于文本的安全过滤器。在基于图像的网络钓鱼攻击中包含开放重定向技术使标准安全系统更难检测和阻止这些网络钓鱼方案。

• Adobe Acrobat Sign Image Phishing
  Adobe Acrobat Sign 图像网络钓鱼

This image-based phishing campaign mimics an Adobe Acrobat Sign request, using a crafted legitimate Adobe URL (campaign[.]adobe[.]com) with an open redirect to appear legitimate and impersonate Adobe effectively. It uses multiple redirections, initially through the Adobe campaign link. It then redirects through Constant Contact (r20[.]rs6[.]net), a well-known email marketing service, before finally redirecting to the intended landing page.
此基于图像的网络钓鱼活动使用精心制作的合法 Adobe URL （campaign[.]adobe[.]com），并带有开放重定向，以显示合法并有效地冒充 Adobe。它使用多个重定向，最初是通过Adobe Campaign链接进行的。然后，它通过 Constant Contact （r20[.]rs6[.]net），一个著名的电子邮件营销服务，然后最终重定向到预期的登录页面。

• Microsoft Brand Image Phishing
  Microsoft 品牌形象网络钓鱼
  
  Here is another image-based email campaign. This time the threat actors are impersonating Microsoft ‘Outlook’ notifications. The attack leverages an open redirect vulnerability in the the MyTheresa domain, a global luxury e-commerce platform to conduct the phishing attack.
  这是另一个基于图像的电子邮件活动。这一次，威胁参与者冒充Microsoft的“Outlook”通知。该攻击利用全球奢侈品电子商务平台MyTheresa域中的开放重定向漏洞进行网络钓鱼攻击。

1.3 More platforms abused in Phishing Open Redirects
1.3 更多平台在网络钓鱼开放重定向中被滥用

Below are some examples of platforms abused in Open Redirects:
以下是开放重定向中滥用平台的一些示例：

• Microsoft.com: Phishers have also abused an open redirect weakness in a phishing campaign that used a Microsoft domain. Such tactics are particularly effective and dangerous due to Microsoft’s reputation as a widely recognized and trusted brand. This makes the impersonations more convincing and challenging for users to discern.
  Microsoft.com：网络钓鱼者还滥用了使用Microsoft域的网络钓鱼活动中的开放重定向弱点。由于Microsoft作为广泛认可和信任的品牌的声誉，这种策略特别有效和危险。这使得模拟对用户来说更具说服力和挑战性。

• Government Domains: We also observed open redirect attacks exploiting official government domains, such as the following URL owned by Government Auckland Council:
  政府域名：我们还观察到利用官方政府域名的公开重定向攻击，例如奥克兰政府委员会拥有的以下网址：

• VK.com: In this sample, VK or VKontakte – a Russian social media and social networking platform.
  VK.com：在此示例中，VK 或 VKontakte – 俄罗斯社交媒体和社交网络平台。

• IndiaTimes.com: IndiaTimes is a news platform popular in India.
  IndiaTimes.com：IndiaTimes是一个在印度很受欢迎的新闻平台。

• Medium.com: Medium is a popular content publishing platform.
  Medium.com：Medium 是一个流行的内容发布平台。

• Wattpad.com: Wattpad is also a publishing and storytelling platform.
  Wattpad.com：Wattpad也是一个出版和讲故事的平台。

• App.link: App.link is a domain operated by Branch, a company specializing in deep linking for mobile applications. Our team observed multiple app.link URLs being exploited in open redirects. Below is a specific phishing URL example from app.link, it shows a deep link subdomain for Strava which is a social-fitness platform for athletes.
  App.link：App.link 是由 Branch 运营的域名，Branch 是一家专门从事移动应用程序深度链接的公司。我们的团队观察到多个 app.link URL 在开放重定向中被利用。下面是来自 app.link 的特定网络钓鱼 URL 示例，它显示了 Strava 的深度链接子域，Strava 是一个面向运动员的社交健身平台。

• Sentieo.com:  In a recent phishing attack, the financial intelligence platform Sentieo.com was abused by exploiting both open redirection and a base href vulnerabilities in their website. This sophisticated tactic exploits the HTML <base> tag, which normally sets a base URL for all document links. Attackers split the phishing link into two parts: the Base href tag containing the hostname, and the Regular href tag (<a href=”…”>) with the host’s path. This method effectively misdirects users to malicious sites while evading detection.
  Sentieo.com：在最近的一次网络钓鱼攻击中，金融情报平台 Sentieo.com 通过利用其网站中的开放重定向和基本 href 漏洞而被滥用。这种复杂的策略利用了 HTML 标记，该标记通常为所有文档链接设置一个基本 URL。攻击者将网络钓鱼链接分为两部分：包含主机名的 Base href 标记和包含主机路径的常规 href 标记 （）。这种方法有效地将用户误导到恶意站点，同时逃避检测。

1.1 Marketing and Tracking Platforms
1.1 营销和跟踪平台

Marketing and tracking platforms including Email Marketing service and Digital marketing providers, are also being leveraged for open redirect attacks since these platforms often use redirects to track clicks and engagement. Here are a few URLs we’ve seen in recent phishing attacks
营销和跟踪平台，包括电子邮件营销服务和数字营销提供商，也被用于公开重定向攻击，因为这些平台经常使用重定向来跟踪点击和参与。以下是我们在最近的网络钓鱼攻击中看到的一些 URL

• Mailjet – Mjt.lu 邮机 – Mjt.lu

• emBlue – Embluemail.com

• DoubleClick – Doubleclick.net (owned by Google)
  DoubleClick – Doubleclick.net（由 Google 拥有）

• Krux – Krxd.net (owned by Salesforce)
  Krux – Krxd.net（由 Salesforce 拥有）

• Adnxs.com

1.4 Open redirect exploits for Malware Delivery:
1.4 恶意软件交付的开放重定向漏洞：

Threat actors also abuse legitimate platforms to redirect users to download malware.
威胁行为者还滥用合法平台来重定向用户下载恶意软件。

In the example below,an invoice themed email campaign uses a pdf attachment as a lure. Recipients are prompted to click on the PDF, ostensibly to download an invoice. However, instead of getting an invoice, this action leads to the download and execution of JScript files, which in turn will download and execute the WikiLoader malware.
在下面的示例中，以发票为主题的电子邮件活动使用 pdf 附件作为诱饵。系统会提示收件人单击 PDF，表面上是为了下载发票。但是，此操作不会获得发票，而是导致下载和执行JScript文件，而JScript文件又将下载并执行WikiLoader恶意软件。

2. Google Platforms Abused in Phishing Redirection
2. Google 平台在网络钓鱼重定向中被滥用
Threat actors are abusing google domains and embeds them in phishing campaigns to evade detections as they leverage the trust commonly associated with Google services.
威胁行为者正在滥用 Google 域并将其嵌入网络钓鱼活动中以逃避检测，因为他们利用了通常与 Google 服务相关的信任。

• Google Web Light Google Web Light（谷歌网络灯）
  

Google Web Light is a service provided by Google that is aimed to provide faster browsing on slow internet connections.
Google Web Light 是 Google 提供的一项服务，旨在在较慢的互联网连接上提供更快的浏览速度。

Here is an example of how it is being abused to redirect to a phishing site hosted in Cloudflare’s IPFS.
下面是一个示例，说明如何被滥用重定向到 Cloudflare 的 IPFS 中托管的网络钓鱼站点。

• Google Notifications Google 通知
  
  The domain ‘notifications.google.com’ is a legitimate site owned by Google. It is used to manage and deliver notifications across various Google Services.
  域名“notifications.google.com”是 Google 拥有的合法网站。它用于在各种 Google 服务中管理和传递通知。
  
  Since Q4 2023, Spiderlabs observed scammers have been exploiting this domain and are sending phishing email campaigns targeting Meta brands including Instagram and Facebook. Detailed insights into one such campaign have been documented on our Spiderlabs blog.
  自 2023 年第四季度以来，Spiderlabs 观察到诈骗者一直在利用该域名，并发送针对 Instagram 和 Facebook 等 Meta 品牌的网络钓鱼电子邮件活动。我们的 Spiderlabs 博客上记录了对此类活动的详细见解。

• Google Accelerated Mobile Pages
  Google Accelerated 移动页面
  
  Google AMP which stands for Accelerated Mobile Pages is an open-source web component framework used for making webpages load faster on mobile devices.
  Google AMP 代表 Accelerated Mobile Pages，是一个开源 Web 组件框架，用于使网页在移动设备上的加载速度更快。
  
  AMP URLs are now being abused as phishing redirectors like in the figure below. When a user clicks on the link, they will be redirected to the phishing page hosted on repl.co, a webserver hosting service owned by Replit.
  AMP 网址现在被滥用为网络钓鱼重定向器，如下图所示。当用户单击该链接时，他们将被重定向到 repl.co 上托管的网络钓鱼页面，这是 Replit 拥有的 Web 服务器托管服务。

3. Search Engine Services as Phishing Redirection Tools
3. 搜索引擎服务作为网络钓鱼重定向工具

Threat actors are also exploiting search engine platforms as tools to facilitate phishing redirection attacks. Recently, search engines such as Bing and Baidu have been particularly targeted for such abuse.
威胁行为者还利用搜索引擎平台作为促进网络钓鱼重定向攻击的工具。最近，必应（Bing）和百度（Baidu）等搜索引擎尤其成为此类滥用行为的目标。

• Bing Tracking Link Redirections
  必应跟踪链接重定向
  
  Microsoft’s Bing search engine is frequently targeted in phishing attacks through its click tracking URL, ‘www.bing.com/ck/a?!p=…‘. This tracking URL is embedded in malicious email campaigns, utilizing a ‘u=’ parameter that contains a base64 encoded URL string directing to a deceptive destination page.
  Microsoft 的 Bing 搜索引擎经常通过其点击跟踪 URL“www.bing.com/ck/a?!p=…”成为网络钓鱼攻击的目标。此跟踪 URL 嵌入在恶意电子邮件活动中，利用“u=”参数，该参数包含指向欺骗性目标页面的 base64 编码 URL 字符串。

The example below illustrates a phishing redirection chain leveraging Bing that leads users to the phishing landing page hosted on the webhosting platform ‘Glitch.me’.
下面的示例说明了利用 Bing 的网络钓鱼重定向链，该链将用户引导至托管在网络托管平台“Glitch.me”上的网络钓鱼登录页面。

• Baidu Tracking link Redirections
  百度跟踪链接重定向

Alongside Bing, we also observed similar instances of search engine tracking link abuse in phishing redirections involving Baidu which is a popular search engine platform in China. Below image shows another multiple redirection chain leading to a fake login page hosted in IPFS.
除了必应之外，我们还观察到类似的搜索引擎跟踪链接滥用网络钓鱼重定向的案例，涉及百度，百度是中国流行的搜索引擎平台。下图显示了另一个多重定向链，该链指向IPFS中托管的虚假登录页面。

4. LinkedIn Smart Link 4. LinkedIn 智能链接

Linkedin Smart links is a service that enables engagement and performance tracking of content through a single trackable link. This link can be shared across various channels like emails, messages and chats. However, this legitimate URL feature is now being abused by attackers in phishing attempts as redirectors. Below is an example of a malicious URL that exploits LinkedIn’s Smart Link service, leading users to a credential harvesting page.
LinkedIn Smart 链接是一项服务，可通过单个可跟踪链接对内容进行参与和性能跟踪。此链接可以在电子邮件、消息和聊天等各种渠道之间共享。但是，此合法 URL 功能现在正被攻击者滥用，作为重定向器进行网络钓鱼尝试。下面是一个恶意 URL 示例，该 URL 利用 LinkedIn 的 Smart Link 服务，将用户引导至凭据收集页面。

Conclusion 结论

In summary, the phishing email attack tactics discussed in this blog are just the tip of the iceberg. Threat actors will continue to evolve their methods, leveraging sophisticated tactics like open redirection and exploitation of trusted platforms for malicious redirection. Their primary goal is to evade detection mechanisms and exploit user trust by taking advantage of the trusted platform’s reputation and employing anti-phishing analysis tactics like intricate redirection chains. This underscores the need for continuous vigilance against cyberthreats, as they persistently evolve and present new challenges.
总之，本博客中讨论的网络钓鱼电子邮件攻击策略只是冰山一角。威胁行为者将继续发展他们的方法，利用复杂的策略，如开放重定向和利用受信任的平台进行恶意重定向。他们的主要目标是通过利用受信任平台的声誉并采用反网络钓鱼分析策略（如复杂的重定向链）来逃避检测机制并利用用户信任。这凸显了对网络威胁的持续警惕的必要性，因为网络威胁不断演变并带来新的挑战。

原文始发于Kevin Adriano：Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks