How to Spot a Redirect

[Do you get our weekly free newsletter with the latest scams and tips to stay safe? Sign up now and be smarter and safer using the Internet! ]

One of the best ways that scammers avoid being exposed by online safety tools, such as the Zulu URL Risk Analyzer, is to create a link that looks like it is sending you to a harmless website but, in fact, redirects you to a different website that is malicious. More often than not the redirect is inserted into code on a web page found on the harmless website. The scammers do this after hacking into a website or by taking advantage of some unpatched security flaw on the web server, or on the website itself. (This is one reason why it is SO IMPORTANT for webmasters to keep their website software up-to-date!)

 

Tools like the Zulu URL Risk Analyzer can expose any redirections on a webpage but it may not always follow them to determine if any of these redirections are malicious. Here’s an example in an email about tax preparation:

1-scam-with-redirect
A mouse-over reveals that the link points to long set of characters at the strange domain “swayrouted.com.” When we copy and paste the entire link into the Zulu URL Risk Analyzer we are told that this website is harmless:

2-Zulu-benign
However, notice that the webpage contains three redirects. The first one is to a website at the domain “portfolio411.net.” Look what Zulu has to say about this webpage:

3-redirect-maliciousIn fact, if we look further at the details of the Zulu score, we learn that the site delivers malware and has been blacklisted by services who monitor malicious content on the Internet:

4-redirect-malicious2Zulu has also informed us that this domain is registered in the United States. If we try to use a WHOIS to lookup the ownership of this domain we find that the owner has purchased it through a proxy service and remains hidden from view. Only a court order will reveal that information:

5-redirect-domainproxy

Even though the Zulu URL Risk Analyzer told us the initial link was safe, it was not. That’s why it is so important to look carefully for redirects that may be hidden in the code of a webpage if you use Zulu or other safety tools.

Another type of redirect to spot may be in the link itself! Take a look at this email:

6-redirected link
Mousing over “Hit this link (just do it!)” reveals a link to a domain named “sendfree.com” followed by a long odd strange set of characters. The Zulu URL Risk Analyzer says the link is “benign” or harmless. Yet notice that it says there are too many redirections to follow.

7-redirections

Now look closely toward the end of the string of characters in the email’s link and you will see http://misp.co/l13v7.

 

“http” is short for HyperText Transfer Protocol and is the trigger code that directs a web browser to visit a link. Even a savvy email recipient might mouse-over this email link and think that it points to SendFree.com, an email marketing firm. However, this SendFree link actually contains what is known as an “open redirect” within it. This open redirect sends the visitor on to a website in Russia. Though “.co” is the 2-letter country code for Columbia, a WHOIS lookup of “misp.co” shows that it is registered in Moscow, Russia.

 

Here is another example of a link that contains an open redirect. Look closely at the link at the bottom of the email revealed by mousing-over. The link appears to point to “us.ard.yahoo.com” But look closely at all characters in the link. Can you spot the redirect “http” code? This link redirects to a domain named “ptr.ch” which is a domain that is registered and located in Switzerland.

8-Pedofile Alert2 via Yahoo redirect
The Zulu URL Risk Analyzer scores the link in the email as completely harmless:

9-ptr-ch hiding in yahoo redirect

Yet if we enter the redirected link for “ptr.ch”, we get a completely different response from Zulu:

10-ptr-ch is malicious

Yahoo.com is particulary vulnerable to redirects and this problem has been discussed on Zdnet.com in this article titled “Yahoo helps scammers phish by ignoring open redirect vulnerability” by Michael Lee.

 

In the Fall of 2013, TheHackerNews.com reported on a serious redirect vulnerability in Facebook that was discovered by security researcher Dan Melamed.

 

It is exactly these types of vulnerabilities that scammers use to trick folks into thinking they are clicking a link to one location, when in fact, it is a link to another location.

 

So, do you think you can spot an open redirect when you mouse-over a link? Test yourself by looking at this scam:

11-redirect - Refund notification

Related Resources:

1. URL Redirection (Wikipedia)

One of the best ways that scammers avoid being exposed by online safety tools, such as the Zulu URL Risk Analyzer, is to create a link that looks like it is sending you to a harmless website but, in fact, redirects you to a different website that is malicious. More often than not the redirect is inserted into code on a web page found on the harmless website. The scammers do this after hacking into a website or by taking advantage of some unpatched security flaw on the web server, or on the website itself. (This is one reason why it is SO IMPORTANT for webmasters to keep their website software up-to-date!)