URL Redirection Attacks: What is it and how to stay protected?

• Attackers use social engineering techniques such as phishing emails to redirects victims from trusted domain to a malicious site, which is known as an URL redirection attack.
• Such techniques are a common practice and a widely used method for attackers to trick victims.

URL redirection attacks redirect victims from the current page to a new URL which is usually a phishing page that impersonates a legitimate site and steals credentials from the victims. Such techniques are a common practice and a widely used method for attackers to trick victims.

Attackers use social engineering techniques such as phishing emails to redirects victims from trusted domain to a malicious site, which is known as URL redirection attack.

How does this work?

• Attackers send phishing emails that include malicious links to targets.
• Upon clicking on the link, victims are redirected to a phishing site where users are prompted to enter their login credentials.
• Once users enter their credentials and log in, attackers take control of the user account and perform various nefarious activities.
• In some instances, the malicious links might redirect users to a malicious site which infects victims’ systems with malware.
• Users are either a victim of a data breach or a malware attack.

Examples of URL redirection

Example 1 - NoRelationship phishing attack

Researchers from Avanan detected a new phishing attack dubbed ‘NoRelationship’ that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx).

• The phishing emails included a .docx attachment containing a malicious link.
• Upon opening the malicious attachment, users will be redirected to a credential harvesting login page.
• The attackers behind the ‘NoRelationship’ phishing campaign deleted external links from a relationship (xml.rels) file which is a legitimate file that lists all links included in an attachment.
• Deleting external links lead to Microsoft’s Exchange Online Protection filters not detecting the malicious URL.

Link parsers do not scan the full document instead rely on a relationship (xml.rels) file. Since attackers removed the external links from the relationship (xml.rels), link parses which relies on relationship (xml.rels) file failed to detect the malicious URL.

Example 2 - ‘Beyond the Grave’ phishing campaign

A new phishing campaign dubbed ‘Beyond the Grave’ targeted hedge funds and financial institutions.

• The phishing emails purported to be from a financial research company named Aksia were sent to targeted financial companies.
• The email body contained research details related to ESMA suspending short-selling during Brexit and included a link to the research.
• Upon clicking the link, it opens a blank page.

However, the companies that have been infected by the ‘Beyond the Grave’ virus includes Elliot Advisors, Capital Fund Management, AQR, Citadel, Baupost Group, and Marshall Wace.

How to stay protected?

• Users must exercise caution while opening any email attachments that are from anonymous senders.
• It is recommended to always check the legitimacy of an URL before clicking it.
• Users can easily detect suspicious URLs by simply hovering the link.