Imagine receiving a promotional email from a business you trust, sending you a “one-time-only” offer for being a customer. Because the offer sounds too good to be true, you suspect something might be “phishy,” which is why you hover your cursor over the link to check its legitimacy. Everything looks okay, so you click on the link. But what if the link points to the trusted website and then redirects you to a malicious webpage or application controlled by scammers? That’s precise what open redirect vulnerabilities can do.
How Do These Open Redirects Work?
Internet browsers, websites, and applications have in-built functionality that allows redirecting a user from one URL to another. This can be particularly helpful in several use cases. For example, redirects are used when a shopping cart checkout page redirects buyers to a third-party payment provider.
How Can Redirects Be Exploited?
Phishing is all about winning the trust of victims and making scams believable. URL redirection is an additional layer of sophistication that boosts the credibility of a fake website or login page. Suppose the sender’s email account is spoofed. In that case, even security-savvy users can be fooled into thinking they’re clicking on a legitimate email from a legitimate source—unless they scrutinize the URL.
Redirects can be hard to spot if the victim uses a mobile phone. This is because mobile devices will only show the domain of the visited site but not display other parameters, including redirections. In its simplest form, a malicious redirect will look something like this.
Per recent INKY research results, threat actors sent nearly 7,000 phishing emails that exploited open redirect vulnerabilities in American Express and Snapchat websites from May 2022 through July 2022. OAuth flaws can also be controlled using open redirects. OAuth is the popular, de facto standard for authentication when users want to log in or create a new account using their Facebook, Twitter, LinkedIn, Google, or GitHub account credentials. Researchers discovered that by modifying OAuth parameters in valid authorization flows, attackers could trigger a redirect of the victim to an attacker-supplied site or redirect URLs in a registered malicious OAuth app. In consent phishing attacks, open redirects can be exploited for account takeovers.
How Organizations Can Mitigate Risks Related To Open Redirects
Although there isn’t any fool-proof mechanism to prevent open redirect attacks from happening, there are a few things organizations can do to reduce the probability of an attack.
- Teach users to recognize redirects. At its core, an open redirect is a phishing attack that leverages weaknesses in everyday behaviors (e.g., judgment errors, trust, biases, and carelessness). Organizations must therefore conduct security awareness training and real-world simulation exercises regularly to teach employees to recognize social engineering red flags. For example, train users to examine URLs in detail before they click on emails or enter their credentials. According to INKY’s vice president of security strategy, Roger Kay, they should watch for strings such as url=, redirect=, external-link, and proxy, as well as check to see if there are multiple instances of “HTTP” in the URL. All these may be associated with a redirect. If the browser or the webpage notifies the user that the URL redirects them, they should take caution before proceeding to the site.
- Implement robust security controls. Sophisticated and targeted attacks might evade the most sophisticated security controls. That said, some AI email security tools can probably recognize sophisticated phishing emails and filter them out. Remember to patch your software regularly to prevent hackers from exploiting legacy vulnerabilities. Deploy phishing-resistant multifactor authentication, which can act as a secondary layer of defense in case credentials are stolen. Use a web application firewall to act as the first line of defense against open redirect attacks.
- Avoid implementing redirects in your architecture. If you own a website, Kay suggests that you disallow URL redirects. Refrain from allowing URLs as an input value in your website. Use third-party experts to test your web application code and API to find any open redirect vulnerabilities. Present users with an external redirection notification that requires them to click before redirecting them to external sites. Although redirects may not directly result in a cyberattack against your organization, they can certainly cause a loss in customer trust and the business’s reputation.
Studies show that users rather than technology pose the most significant cybersecurity risk. Cybercriminals exploit human behavior to bypass these controls no matter how mature security technology becomes. Therefore, organizations must emphasize security awareness and promote secure behavior and culture. If employees take cybersecurity seriously, it will go a long way toward making the organization resilient to all kinds of social engineering scams.
Source: www.forbes.com