back to article Cybercrooks lurk in shadows of big-name websites

A small team of security researchers has documented how many high-profile websites are unwittingly helping phishing fraudsters. Phishing scams often use "open redirector" exploits on major sites to make their attack URL look more legitimate. The trick also makes it more likely that fraudulent emails that form the basis of …

COMMENTS

This topic is closed for new posts.
  1. Colin Millar

    Why do browsers still allow redirect?

    Given that there is absulutely no legitimate need for redirect. Support for redirect should be withdrawn (or at least turned off by default).

  2. Anonymous Coward
    Anonymous Coward

    Removing redirects eh ???

    Its not the browser doing the redirect its backend sites which are given capabilities to redirect such as example given with googlemaps...

    Besides stopping redirects would do nothing really to stop the evil they would simply find other means e.g. DNS poisoning

    Redirects are also done from all other levels from webserver config doing redirects on a given url to CNAME's applied in DNS hostnames...

    If redirects was to stop your ebay would break and would not redirect to paypal thus you would never complete the transaction easily.

  3. Stu
    Dead Vulture

    @Colin

    SIDE POINT - What is it with all the scaremongering today, this is kind of like the IT equivalent of the increased negative news reporting done on TV during christmas-time?!

    Eg - Family of four house burned down, all xmas pressies lost, little timmy in critical condition in hospital.

    Thanks El-Reg, we know we're going to die soon from Bio-terrorism, Meteors, Global Warming, Disease, nuclear attack, universe destruction (thanks CERN for the LHC), supermassive invisible black-holes, etc etc etc etcetcetc!

    Give it a rest ffs.

    @Colin

    Of course there are legitimate uses for (auto)redirects - pretty much the www relies on it! Otherwise web sites simply wouldn't be able to do all sorts of extremely useful things - all web shops require redirects to allow you to add items to your basket, checkout, pay for your goods etc.

    You can't even suggest that perhaps only off-site redirects are restricted, because a lot of places require e-commerce handling to be done somewhere else, eg WorldPay.

    In the Web 2.0 world though its possible that AJAX would allow you to do everything whilst remaining on site, indeed on one page, but it would still need to push and pull data from a remote location in ALL legitimate uses.

    AJAX in fact, if anything, would grant the phishers a more transparent and hidden way of pulling customer data.

    Point to note - If you go down the increased feature + usability + friendliness route, you always pay for it with increased risks of subversion.

  4. M. Burns Silver badge
    IT Angle

    Using Google Maps to redirect to Yahoo Maps

    Why this type of security flaw is allowed to function is beyond me...

    http://maps.google.com/local_url?q=http://maps.yahoo.com

  5. Colin Millar
    Boffin

    redirects

    Agree with the scaremongering comment - the web isn't as frightening as a lot of people like to make out.

    On-site redirects are not needed by shopping sites - relative path executes and transfers have been available for some time now - redirect within a site is simply lazy.

    And as for paying on a third party site - how about user click to go there? There's enough stages in these transactions that one more click at the pay now stage isn't going to be greatly noticeable.

    I know the browser doesn't do the redirect but it does know the difference between request and response.

  6. Kevin McMurtrie Silver badge
    Paris Hilton

    Silly

    Unless you're Paris, calling something like "http://maps.google.com/local_url?q=evilhostname" a major security hole is silly. Don't you look at the URL before typing in your username and password? Redirects hide nothing and they don't evade normal security measures.

    If you want to talk about Google helping criminals, head over to Usenet. Many once-popular discussion groups like rec.photo.digital have been crushed by non-stop spam flooding from Google Groups. It gets better. The spam often points to advertisements hosted on Google's own blogspot.com. Google gives anonymous Usenet access and hosting services to criminal networks that the rest of the world has firewalled. Got an abuse complaint for Google? They don't accept it. Complain about GMail spam and you get an automated response saying that GMail can't spam!

    This is called "bullet proof hosting" and it causes most networks to be disconnected.

  7. Tony cox

    Fraud!

    The number of attempts to steal money and identities from innocent people, is at an all time high. I am amazed at the lengths these criminals will go to try to rip you off! But, to these low-lying groups of cybercrooks, sometimes the rewards are worth the effort, and often, with little chance of getting caught.

    We have started posting the latest online frauds on Arrested.Com (non-commercial site). If you have something to contribute, or if you would like to view the most recent fraud postings, visit: http://www.arrested.com/1563688.html.

  8. Phil Endecott

    Gmail spam

    Kevin wrote:

    > Complain about GMail spam and you get an automated response

    > saying that GMail can't spam!

    I'm glad I'm not the only one to have noticed this. On their "support" site they tell you to look at the message-id and that unless it matches some pattern then the message hasn't come from their server. Unfortunately, the pattern is wrong, but attempts to tell them this just reach the same bot that replies "this is forged and not from us". Not good.

  9. John Bayly
    Pirate

    @Kevin McMurtrie

    Yes, http://maps.google.com/local_url?q=evilhostname is pretty obvious, but all that has to be done is to encode the querystring. For example, guess where this takes you: http://maps.google.com/local_url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%74%68%65%72%65%67%69%73%74%65%72%2E%63%6F%2E%75%6B

    To you and I this looks suspicious, but to the user who aimlessly clicks on links it wouldn't raise an eyebrow.

    Embarrassingly enough, this article has made me think about the website I've been working on, and I realise I've left an susceptible redirect.

  10. Franklin
    Dead Vulture

    Pfft. That ain't nothin'

    The latest trick is hacking Web sites, stuffing them with pages containing popular keywords, then redirecting to virus-infected servers...but only if the referring domain is "google.com". Anything else, and the hacked page redirects to a 404 error.

    Ran into this particular trick myself recently, as documented (with technical info) at

    http://tacit.livejournal.com/226180.html

This topic is closed for new posts.