Hashemian Blog

Huh? What?

Sunday, May 13, 2007

Redirect Hacks and Phishing 

A few days ago in a blog entry I touched upon how search engine gamers had been able to use trusted domains and the 302 redirect trick to fool search engines into giving them higher rankings. That window of opportunity is all but closed now, but scammers still use the redirect hack to aid them in their phishing expeditions. They are able to foist their tricks on their unsuspecting victims using two main avenues consisting of spam emails and spam posts.

Suppose you receive an email with the following embedded URL:
  • http://www.ygdte682hdfajh1a.com/offer.htm?url=http://example.com


    • Would you click on this email? Most likely not, and nor will many others. You just can't tell who that weird URL belongs to, so you would skip over it. Now consider the following URLs:
  • http://froogle.google.com/%66%72%6F%6F%67%6C%65%5F%75%72%6C?%71=%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36

  • http://www.aol.com/%72%65%64%69%72%2E%61%64%70?%5F%75%72%6C=%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36

  • http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?RedirectEnter&loc=http://us.ebayobjects.com/2c;47586106;12593038;l?%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36


    • Notice how the URLs indicate domains from Google, AOL, and eBay. Some people may still be skeptical about clicking, but others may not be so paranoid. After all those domains emanate from highly trusted sources. The URLs have some encrypted data, but we are all accustomed to seeing long URLs on various sites, and might attribute that to strong security.

    This is no trick. Those pages are indeed legitimate pages from well-known sites. But they are specially crafted pages to redirect users to other destinations. They were most likely designed to be used by their respective sites themselves and for other legitimate uses from the outside. But in this case they were hijacked to gain users' confidence prompting them to dutifully click on them. For these samples, users are safely redirected to example.com, but they could have been redirected to a wicked phishing site instead.

    Phishers also post the same types of links on various online boards, article sites, or other user submission areas, and they can gain users' trust just the same. Why wouldn't these links be automatically filtered by email servers or web sites? For the same reason average users see no threat in them. Filters might block or distort links they do not recognize, but many may give these links a free pass, convinced that they are from highly trusted sites and are therefore innocuous.

    Some well-known sites have started to take defensive measures to foil these types of redirect tricks, but abuse-ready redirect pages still abound. So the next time you come across these types of links in a spam email or on a site, think twice before clicking on them. They may just be the bait-and-switch kind.

    ,,,

    Labels: , , ,

    <Redirect Hacks and Phishing>

    // posted by rh

    1 comments |

    1 Comments:

    By Gianni Amato, at 19/6/07 6:03 AM

    Cross-Site Request Forgery example for Yahoo! ads:
    From Yahoo to Google

    Post a Comment

    This page is powered by Blogger. Isn't yours?
    Links
  • Hashemian Blog on FeedBurner
  • Syndicate Hashemian.com/blog/
  • Subscribe to Hashemian.com/blog/ with Bloglines
  • Read Hashemian.com/blog/ with Bloglines
  • Subscribe to Hashemian.com/blog/ with My Yahoo!
  • Technorati Profile
  • TMCnet.com

    • ARCHIVES
  • 09/01/2003 - 10/01/2003
  • 03/01/2004 - 04/01/2004
  • 04/01/2004 - 05/01/2004
  • 05/01/2004 - 06/01/2004
  • 06/01/2004 - 07/01/2004
  • 07/01/2004 - 08/01/2004
  • 08/01/2004 - 09/01/2004
  • 09/01/2004 - 10/01/2004
  • 10/01/2004 - 11/01/2004
  • 11/01/2004 - 12/01/2004
  • 12/01/2004 - 01/01/2005
  • 01/01/2005 - 02/01/2005
  • 02/01/2005 - 03/01/2005
  • 03/01/2005 - 04/01/2005
  • 04/01/2005 - 05/01/2005
  • 05/01/2005 - 06/01/2005
  • 06/01/2005 - 07/01/2005
  • 07/01/2005 - 08/01/2005
  • 08/01/2005 - 09/01/2005
  • 09/01/2005 - 10/01/2005
  • 10/01/2005 - 11/01/2005
  • 11/01/2005 - 12/01/2005
  • 12/01/2005 - 01/01/2006
  • 01/01/2006 - 02/01/2006
  • 02/01/2006 - 03/01/2006
  • 03/01/2006 - 04/01/2006
  • 04/01/2006 - 05/01/2006
  • 05/01/2006 - 06/01/2006
  • 06/01/2006 - 07/01/2006
  • 07/01/2006 - 08/01/2006
  • 08/01/2006 - 09/01/2006
  • 09/01/2006 - 10/01/2006
  • 10/01/2006 - 11/01/2006
  • 11/01/2006 - 12/01/2006
  • 12/01/2006 - 01/01/2007
  • 01/01/2007 - 02/01/2007
  • 02/01/2007 - 03/01/2007
  • 03/01/2007 - 04/01/2007
  • 04/01/2007 - 05/01/2007
  • 05/01/2007 - 06/01/2007
  • 06/01/2007 - 07/01/2007
    		•


    Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Contact

    © 2001-2010 Robert Vahid Hashemian
    Support the effort
    		 Liked this page?
    Please consider creating a link to it
    from your Web site.

    hashemian.com
    هاشمیان.com

     Home

     Blog

     Web Tools Add Free Web Tools custom Google Toolbar button (Requires Toolbar >V4)
    Usage

     News

     Articles

     FAQ

     About

     Contact

     Financial Markets Book
    Read Complete Book


    Search Amazon:  
    Amazon Logo
    |redirect-hacks-and-phishing|

    more…




    TAX 2009
    Amazon Tax Central

    aStore - Hashemian.com on Amazon

    Visits: Powered by hashemian.com

     

     

     

     

     
    Search Hashemian.com





    Created Opal And Multicolor & Silver Bear Hook Earrings
    $19.95
    Ends: Thu Mar 25, 2010 14:23:01 EST


    NICE ENGRAHAM ANTIQUE MANTEL CLOCK,COMPLETE AND WORKING
    $49.99
    Ends: Wed Mar 24, 2010 05:10:49 EST


    BRAND NEW ELMO WIGGLE,JIGGLE DANCE AND GIGGLE
    $12.00
    Ends: Wed Mar 24, 2010 05:10:53 EST


    JOAN JETT AND THE BLACKHEARTS LITTLE LIAR DESMOND CHILD
    $1.51
    Ends: Wed Mar 24, 2010 05:10:55 EST


    L'occitane shea butter foot and hand cream (two pack)
    $10.58
    Ends: Wed Mar 24, 2010 05:11:10 EST

    more…