Almost since the beginning of phishing, attackers have created simple webpages that redirect users to another URL that contains the actual phishing form. They do this for several reasons. In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site. This means that everyone who receives an email with the redirector link and clicks on it will still end up at a phishing site. URL blocking software may only be blocking URLs that contain a visible phishing page. Depending on the software used and how they collect their phishing data, it may be that they only visible phishing URLs are blacklisted allow the redirecting URLs to slip through. When the visibile phish page is eventually blocked by web browser phishing filters, the attackers can change the redirect again and continue their scam.
PhishLabs has recently seen some advancements in how redirectors are being used in phishing. But first, let’s look at how these redirectors are typically used. There are several ways that theu can be implemented:
The php header() function will send the browser an arbitrary HTTP header response. The attackers use the Location: header to redirect users to the phishing site:
<?php header('Location: http://hacked.com/phish/page.html'); ?>
In addition to location.replace(), other functions include window.location.replace(), window.location.href(), document.location(), document.location.replace(), and I’m sure there are other possibilities.
The deprecated, but still widely supported <meta> tag with the http-equiv=”refresh” parameter still works and is often used as well.
<meta http-equiv="refresh" content="0;url=http://phishsite.com/" />
Adobe Flash can also be used to redirect users to another URL. We have seen a few cases of this used with phishing attacks. It’s likely used less often because it requires a bit more work on the part of the attacker (but not much). Example Flash ActionScript:
Recently, PhishLabs has detected some advanced forms of using redirect functions via PHP programs. In samples programs we have recovered, attackers have expanded functionality to redirect users to one of several phishing sites and to check if those phishing sites are still available first. The following are relevant pieces of the code used:
First they setup an array of sites. In the examples discovered they also included the legitimate bank web site as a redirect destination of last resort:
$a = array( 'http://hackedsite1.com/dir/bankname/index.php', 'http://anotherhackedsite.com/dir/bankname/ssl.php', 'http://www.bank.com/', 'http://www.bank.com/' );
Next the attackers use some code to test each of the URLs in order to find out if it working by checking for a 2xx HTTP response code:
$g = 'HEAD '. (isset($p['path']) ? $p['path'] : '/'). (isset($p['query']) ? '?'.$p['query'] : ''). ' HTTP /1.0'."\r\n". 'Host: '.$p['host']."\r\n". 'Connection: Close'."\r\n\r\n"; fwrite($f, $g); while (!feof($f)) $d .= @fgets($f, 1024); fclose($f); return (trim($d) == '' || count(explode('HTTP 1.1 4', $d, 2)) == 2 ... )
And finally they use the old PHP header() function to send an HTTP location: header and redirect the user’s browser:
header('Location: '.($r ? $l : $r));
Attackers continue to evolve their tactics and so too must we continue to evolve our defenses and countermeasures.