publishing date icon
December 3, 2021
read time icon
5 min. read

Open Redirects - Weaponizing Trust Built by Legitimate Companies

Open redirects offer a no-cost, low-technical-requirement solution to completing the impersonation of a well-known legitimate company down to its URL, which makes their impersonation phishing attacks harder to spot.

Author image
Jon Gellin
Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

Open redirects help attackers disguise a shady URL for a malicious site with a seemingly legitimate URL. Open redirects are part of a common technique used by malicious actors, which is impersonating well-known brands in a phishing attack. Brand-name companies have put tremendous resources behind gaining the trust of customers. Hijacking that trust can open the door to very lucrative opportunities for malicious actors.

A wolf in brand name URL clothing

To weaponize the trust built around legitimate brands, malicious actors use a plethora of different tricks. To name a few:

  1. Color theme and logos: Phishing messages often try to mimic legitimate services by using colors and logos associated with a particular brand.
  2. Sender impersonation by mimicking and spoofing: The sender field is an important part of a well-crafted phishing campaign. There are many tricks to be employed here. Perhaps the most common and least technical trick is adding an extra email address to the name of the sender, in an attempt to hide the real address used. A more technical approach is spoofing the domain to match the recipients’. And some more advanced and more targeted campaigns use so-called “flash attacks” where malicious actors buy a domain very reminiscent of the company domain they are targeting, and use the domain to send out the emails, and sometimes even to host the malicious content the recipients are directed to.
  3. Using legitimate links in addition to the malicious one to raise trustworthiness.
  4. Using faked or legitimate signatures used by the company impersonated.
  5. Masking links to show the domain of a trusted company while having the URL lead to somewhere else. Flash attacks can also be used here to increase the likelihood that the link is clicked, since even hovering on the link will show a domain closely reminiscent of the one used by the legitimate service.

Buying domains closely reminiscent of legitimate services has its downside though, as they often are quickly spotted and taken down. Buying domains is also something many malicious actors stay away from due to the costs and work involved; they’d rather stick to compromised sites or free hosting services.  

Why open redirects are a popular attack tactic

Open redirects offer a no-cost, low technical requirements solution. Open redirects have been used for a long time, but as has been recently widely reported in the news, they have also risen in popularity with threat actors. An open redirect is simply a functionality some sites employ to allow redirection to other domains. An open redirect might for example look like the following: “https://hoxhunt.com/eg?url=https://hoaxhunt.com”, if this was an open redirect the user would see the legitimate Hoxhunt domain, but when clicked they would be redirected to Hoaxhunt.com.

Spotting these might be tricky for the common user, whose first step in determining whether a link is safe or not is to hover over a link and analyze the URL. But the URL might be very long, and attackers engineer theirs to be filled with confusing symbols to mask a malicious site hiding in the end. Carefully analyzing the whole URL with an understanding of what a redirect looks like might, however, save one from a great deal of trouble.

Some keywords to look out for, in addition to an out of place domain in the end of the URL are:

One should make a habit of checking the URL field of the browser when arriving to a site via a link.

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter