Phishing attacks taking advantage of what are known as unvalidated redirects on Google Meet and Google DoubleClick platforms increased 85% between this year's first and second quarters, a new analysis of threat data shows.

Most of the attacks were primarily focused on luring users to sites for credential harvesting, payment fraud, and auto-downloads of malware, said security vendor GreatHorn in a report this week.

According to the Open Web Application Security Project (OWASP) an unvalidated — or open — redirect vulnerability exists when a Web application accepts untrusted input that could cause the Web application to redirect users to another URL. By modifying the URL for these sites — for instance, by adding a link to another destination to the end of the original URL — an attacker can easily redirect users to websites of their choice.

"By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," OWASP notes. "Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance." 

GreatHorn says its threat intelligence team found attackers simply adding a "link redirect" instruction with a URL to a different destination to the end of Google's legitimate URL for Google Meet — for example:
meet.google.com/linkredirect?authuser=0&dest=some-malicious-site.com.

They have included these redirect links in phishing emails, hoping recipients would be inclined to click on the URL because the server's name belongs to Google. Similarly, attackers have been adding an advertising URL to the end of the legitimate URL for Google's DoubleClick advertising platform to achieve the same result.

Because the Google platforms accept open redirects, they do not verify the target URL. So any user who clicked on the link thinking it was a Google domain would be redirected to the malicious one instead.

Websites that allow open redirects are trivial to leverage in phishing attacks, says Ray Wallace, co-founder and CTO of GreatHorn. 

"An attacker only needs to replace the target URL in a legitimate redirecting URL to their own attack site," he says. A couple of potential reasons why an organization might allow open redirects is for link-tracking purposes or because they want to make legitimate redirection services faster, he says.

GreatHorn says the issue with DoubleClick has existed at least since 2008, when Google acquired the advertising technology. Though previous malicious advertising campaigns have taken advantage of the open redirect on DoubleClick, the issue has not been addressed, according to the vendor.

Long-Known Issue
Google did not immediately respond to a request for comment on GreatHorn's report about attackers leveraging open redirects on its sites in phishing campaign. But as far back as 2009, the company in a blog post had described the issue as a problem for websites in general.

"Webmasters face a number of situations where it's helpful to redirect users to another page," Google said. But redirects that are left open to arbitrary destinations can be abused, the company warned. 

"This is a particularly onerous form of abuse because it takes advantage of your site's functionality rather than exploiting a simple bug or security flaw," Google said. Open redirects allow spammers to use a trusted organization's domain as a sort of temporary landing page to trick email users, Internet searchers, and search engines, it said.

The problem is exacerbated by the fact that most email security tools cannot detect such redirection in real time, GreatHorn said. Unless a specific full URL has already been identified and blacklisted, the links will pass through most email threat detection systems, the company said.

For email security tools to be effective, they need to be able to detect URLs embedded within another safe- looking URL and determine where those links ultimate lead, Wallace says. 

"Users can look really closely at the URL inside the URL, sort of like how they're used to doing a 'hover check' in their email, but uglier," he said.

Last October Acunetix provided a list of measures organizations can take to prevent open redirects. It's advice for developers included using a list of fixed destination pages for their sites, storing their URLs in a database table, and using identifiers rather than the URLs themselves as parameters. 

"For example, store http://example2.com in the database table with the identifier 42 and then use the following call to redirect to example2.com: https://example.com/redirect.php?redir_id=42," the company said.

Organizations that cannot use a fixed list of pages should make sure to have control for filtering trusted input, the company noted.