Study: Site Redirects Abundant, Aid Phishers
An examination of nearly 2.5 million Web pages at some of the Internet's most popular and trusted sites turned up at least 128,000 links that could be manipulated by fraudsters and virus writers to make online scams more believable, a study released this month found.
Scammers and phishers are taking advantage of commonly used coding used in "redirects" to divert traffic from reputable Web site to sites that could harbor malicious software or phishing schemes.
Redirects aren't all bad. In essence, they are Web links that are used to forward traffic from one site to another. They can be useful when Web site owners want to move content around and don't want old links leading to dead pages. Redirects can help selectively re-route traffic: For instance, www.example.com may want to forward any requests for a specific Web page to a third-party site. In addition, well-known companies use redirects to forward traffic from site names they own that include common misspellings of their brand name.
But redirects can be abused when Web sites that employ them leave them "open," or permit them to forward traffic to any site on the Internet. Phishers and virus writers constantly seek out these kinds of security vulnerabilities in trusted Web sites, because the bad guys know people are more likely to click on a link if they believe it will take them to a site they know and trust.
Understanding how redirects can be abused is often easier shown than explained. For example, I altered this link -- found at About.com and originally used to help site visitors locate content that had moved to another portion of About.com -- so that it instead brings you right back here to Security Fix. As does this redirect at Web ad giant ATDMT, this page at MacDailyNews, and this link from the National Sex Offender registry.
(By hovering over a link -- or by right-clicking on one of these links, selecting "Copy Shortcut," and pasting the URL into another Web browser -- you can see how it was formatted to take you from one Web site to where I wanted it to go.)
Researchers at Indiana University sought to find out just how many open redirects are now out there by building a computer program that crawled tens of thousands of the most-visited sites, using sophisticated formulas to automatically discover when sites were running open redirects.
Indiana Ph.D student Craig Shue said he and his fellow researchers were surprised by the number of high-profile Web sites with open redirects, particularly since they are not difficult to identify or fix.
"When someone else can manipulate your redirect and craft a link however they want, that can really hurt your brand. If you're eBay and you have an open redirect in your site, that makes it really easy for a phisher to incorporate the actual eBay site," in a link that ultimately forwards people to a counterfeit eBay page, Shue said.
In fact, the screen shot to the right of a Phishtank.com writeup shows a portion of a link leading to a live eBay phishing site that uses an open redirect on the auction giant's site. Interestingly, this phishing site has been live nearly six weeks now: Note the Jun. 5th submission date (I took that screenshot of the phishing site last night). Another recent Phishtank submission shows an open redirect on AOL.com.
Redirects are nothing new. Indeed, some of the Internet's biggest Web sites -- particularly Google -- used to host large numbers of open redirects. But as the Indiana study shows, open redirects remain very easy to find and exploit.
July 16, 2008; 4:35 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Zone Alarm Update Fixes Microsoft Patch Problem
Next: Firefox 3 Follows IE7's Security Settings
Posted by: rvs | July 16, 2008 5:34 PM | Report abuse
Posted by: Denis | July 16, 2008 5:58 PM | Report abuse
Posted by: brucerealtor | July 16, 2008 11:20 PM | Report abuse
Posted by: Pete from Arlington | July 17, 2008 10:25 AM | Report abuse
Posted by: W Conway | July 17, 2008 12:32 PM | Report abuse
Posted by: Michael Horowitz | July 17, 2008 9:43 PM | Report abuse
Posted by: sex | July 27, 2008 8:39 PM | Report abuse
The comments to this entry are closed.