Redirecting users from trusted domains to a malicious site, which is known as a URL redirection attack, has become a potential attack vector in the past months. Amidst the ongoing pandemic, malicious actors are piggybacking on legitimate domains to lure online users and push malicious intents.
In some cases, many website owners don’t know their websites are infected with malicious redirects until they start getting calls from wary customers.
A recap of recent attacks
- In a large malvertising campaign dubbed ‘malsmoke’ tracked throughout 2020, adversaries tricked adult website visitors to malicious websites that served Zloader banking malware.
- During October, researchers from Sucuri Labs uncovered variations of Mauthtoken malware on various compromised sites. The distinguished part of the malware was the _mauthtoken cookie that prevented redirected mobile users from returning back.
- The attack technique was, moreover, a part of an Emotet campaign observed in late October. For this, malicious redirection websites used typosquatting and impersonation to send visitors to unwanted landing pages associated with brand names such as Comcast and McAfee.
- An elaborate set of malicious URLs was used in a massive tech-support scam that ultimately redirected victims to a browser lock page. The links were propagated via Facebook in the form of a shortened URL.
The larger picture
- Cybercriminals use URL redirection attacks to take advantage of users’ trust. They do this by redirecting traffic to a malicious page using URLs embedded in website code, a .htaccess file, or a phishing email.
- Even worse, similar to any hack, malicious redirects can have their effect on search engines. Any infected site visible on search results will eventually get backlisted, bringing both damage to reputation and cutting off nearly all its traffic from organic searches.
The bottom line
Given the potential consequences of malicious redirects, it is crucial to carefully evaluate third-party components before installing them and implementing necessary measures. These include using a web application firewall, deploying an automated website scanner, and keeping software up-to-date.