Open redirects offer a no-cost, low-technical-requirement solution to completing the impersonation of a well-known legitimate company down to its URL, which makes their impersonation phishing attacks harder to spot.
Open redirects help attackers disguise a shady URL for a malicious site with a seemingly legitimate URL. Open redirects are part of a common technique used by malicious actors, which is impersonating well-known brands in a phishing attack. Brand-name companies have put tremendous resources behind gaining the trust of customers. Hijacking that trust can open the door to very lucrative opportunities for malicious actors.
To weaponize the trust built around legitimate brands, malicious actors use a plethora of different tricks. To name a few:
Buying domains closely reminiscent of legitimate services has its downside though, as they often are quickly spotted and taken down. Buying domains is also something many malicious actors stay away from due to the costs and work involved; they’d rather stick to compromised sites or free hosting services.
Open redirects offer a no-cost, low technical requirements solution. Open redirects have been used for a long time, but as has been recently widely reported in the news, they have also risen in popularity with threat actors. An open redirect is simply a functionality some sites employ to allow redirection to other domains. An open redirect might for example look like the following: "https://hoxhunt.com/eg?url=https://hoaxhunt.com", if this was an open redirect the user would see the legitimate Hoxhunt domain, but when clicked they would be redirected to hoaxhunt.com.
Spotting these might be tricky for the common user, whose first step in determining whether a link is safe or not is to hover over a link and analyze the URL. But the URL might be very long, and attackers engineer theirs to be filled with confusing symbols to mask a malicious site hiding in the end. Carefully analyzing the whole URL with an understanding of what a redirect looks like might, however, save one from a great deal of trouble.
Some keywords to look out for, in addition to an out of place domain in the end of the URL are:
One should make a habit of checking the URL field of the browser when arriving to a site via a link.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.