Phishing operators took advantage of the issue to redirect victims to malicious websites.

4 Min Read
By Pakpoom Phummee via ShutterStock

Phishing attacks taking advantage of what are known as unvalidated redirects on Google Meet and Google DoubleClick platforms increased 85% between this year's first and second quarters, a new analysis of threat data shows.

Most of the attacks were primarily focused on luring users to sites for credential harvesting, payment fraud, and auto-downloads of malware, said security vendor GreatHorn in a report this week.

According to the Open Web Application Security Project (OWASP) an unvalidated — or open — redirect vulnerability exists when a Web application accepts untrusted input that could cause the Web application to redirect users to another URL. By modifying the URL for these sites — for instance, by adding a link to another destination to the end of the original URL — an attacker can easily redirect users to websites of their choice.

"By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," OWASP notes. "Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance." 

GreatHorn says its threat intelligence team found attackers simply adding a "link redirect" instruction with a URL to a different destination to the end of Google's legitimate URL for Google Meet — for example:

They have included these redirect links in phishing emails, hoping recipients would be inclined to click on the URL because the server's name belongs to Google. Similarly, attackers have been adding an advertising URL to the end of the legitimate URL for Google's DoubleClick advertising platform to achieve the same result.

Because the Google platforms accept open redirects, they do not verify the target URL. So any user who clicked on the link thinking it was a Google domain would be redirected to the malicious one instead.

Websites that allow open redirects are trivial to leverage in phishing attacks, says Ray Wallace, co-founder and CTO of GreatHorn. 

"An attacker only needs to replace the target URL in a legitimate redirecting URL to their own attack site," he says. A couple of potential reasons why an organization might allow open redirects is for link-tracking purposes or because they want to make legitimate redirection services faster, he says.

GreatHorn says the issue with DoubleClick has existed at least since 2008, when Google acquired the advertising technology. Though previous malicious advertising campaigns have taken advantage of the open redirect on DoubleClick, the issue has not been addressed, according to the vendor.

Long-Known Issue
Google did not immediately respond to a request for comment on GreatHorn's report about attackers leveraging open redirects on its sites in phishing campaign. But as far back as 2009, the company in a blog post had described the issue as a problem for websites in general.

"Webmasters face a number of situations where it's helpful to redirect users to another page," Google said. But redirects that are left open to arbitrary destinations can be abused, the company warned. 

"This is a particularly onerous form of abuse because it takes advantage of your site's functionality rather than exploiting a simple bug or security flaw," Google said. Open redirects allow spammers to use a trusted organization's domain as a sort of temporary landing page to trick email users, Internet searchers, and search engines, it said.

The problem is exacerbated by the fact that most email security tools cannot detect such redirection in real time, GreatHorn said. Unless a specific full URL has already been identified and blacklisted, the links will pass through most email threat detection systems, the company said.

For email security tools to be effective, they need to be able to detect URLs embedded within another safe- looking URL and determine where those links ultimate lead, Wallace says. 

"Users can look really closely at the URL inside the URL, sort of like how they're used to doing a 'hover check' in their email, but uglier," he said.

Last October Acunetix provided a list of measures organizations can take to prevent open redirects. It's advice for developers included using a list of fixed destination pages for their sites, storing their URLs in a database table, and using identifiers rather than the URLs themselves as parameters. 

"For example, store in the database table with the identifier 42 and then use the following call to redirect to," the company said.

Organizations that cannot use a fixed list of pages should make sure to have control for filtering trusted input, the company noted.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights