The following article has been posted on the LinkedIn page of our new takedown service, CyberATS. We recommend following CyberATS‘s and IntelFinder‘s LinkedIn pages to get notified when new articles are posted.
A bit over a month ago, on September 11th, Palo Alto Networks‘s Unit 42 reported on a new development in the Phishing space – the team started observing attacks that utilized a “Refresh” header in the HTTP response (https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refresh/) to redirect users from one URL to another. While any new development is noteworthy, Phishing redirections have existed almost as long as Phishing attacks do, so this begs the question – what’s new here and what is the significance?
Quick Introduction to Redirections
When browsing the web, users can be redirected from one page to another in several ways.
Meta Tag
A common way to perform a redirect is to provide a <meta> HTML tag along the HTML content of the page, which looks something like this:
<meta http-equiv=”refresh” content=”0; url=https://cyber-ats.com” />
Once the HTML is loaded by the browser, it will redirect the user to the URL specified in the “content” attribute. “content” also includes a numerical value which determines how many seconds should pass before the browser executes the redirection. For an immediate redirection, which is usually the case, the value of zero is supplied.
Javascript
Another popular method of redirection is using Javascript, the scripts of which are executed by the browser. The language has several functions that execute a redirection of the user, including “window.location.href”, “window.location.assign”, “window.location.replace”, “document.location” and more. Redirections using Javascript provide a major advantage of being part of a larger, more complex, logic. For example, the redirection destination could be determined based off certain criteria. Much like the rest of the language, redirections in Javascript can either appear embedded in the HTML page or called from a standalone Javascript file. An embedded script would look something like this:
<script>window.location.href = “https://cyber-ats.com“;</script>
HTTP Redirects
When a user wants to load a webpage, the communication is done using the HTTP protocol. According to the protocol, the client sends an “HTTP Request” and the server responds with an “HTTP response”. Each request and response include two main components – the “headers” and the “body”. The headers are a list of label-value pairs that the server and browser process to determine their behavior. In an HTTP Request, the headers may include the cookie used, or the User-Agent (a User-Agent is a string which defines the client’s browser and its version, so the server would know to return the relevant version of the page). The body of a request would include any submitted fields, such as username and password if they are sent to the server for authentication (much preferably sent using HTTPS rather than HTTP for security).
In an HTTP Response, the headers can include label-value pairs that tell the browser to redirect the user to a different page. Furthermore, every HTTP Response includes a status line at the beginning of the HTTP response, telling the browser whether the request was successful. A 200 status means the request was received and responded to successfully. A 500 response means there was an internal server error (usually caused by bugs in the code generating the webpage on the server). Perhaps the most known status is 404 – indicating that a page wasn’t found on the server. A status that begins with 3 indicates that further action is needed by the client to fulfill the request, which often involves redirection to another page. Such redirections are known as “HTTP Redirects”. Along with a status starting with 3, the server supplies a header called “Location” which defines to which URL to send the user. An example of a Location header is:
Location: https://cyber-ats.com/
The new finding by Palo Alto Networks focuses on a different less-used HTTP Redirect. Instead of serving a “Location” header, a “Refresh” header is served instead, acting similarly to the “Refresh” Meta tag, including the ability to delay the redirection by a defined number of seconds: Unlike “Location”, the “Refresh” header isn’t standard and isn’t part of the official HTTP/1.1 protocol specification. Unlike the “Location” header, which is provided with a 3xx status code, “Refresh” would be provided with a “200 OK” status code.
Refresh: 0; url=https://cyber-ats.com/
Redirections in Phishing
To understand what the significance of the “Refresh” header in Phishing redirection rather than the standard “Location”, we must first understand what redirections in Phishing are used for, and more specifically what they are not. Redirections in Phishing are not used to obfuscate the Phishing attack’s URL to confuse the victim into believing they are viewing the legitimate website, there are other techniques to achieve this effect (link obfuscation, registration of similar domains, etc.).
What redirections are usually used for in Phishing is added resilience. When a redirection is included as part of an attack, the link in the Phishing letter first sends the user who clicked on it to the redirection URL and from there they are redirected to the actual page.
If the Phishing attack is taken down, but the redirection webpage is still online, the link in the Phishing would still work. All the fraudster has to do is replace the redirection from the now-offline Phishing URL to a new instance of the Phishing attack and all the Phishing emails that have already been sent would still work.
So What Does the New Redirection Method Means?
In terms of user experience, all redirections are pretty much the same. While in the case of the meta tag and Javascript the redirection occurs after the browser has finished loading the page content, when a page only serves as a redirection it does not usually include any additional code other than the redirection instruction.
What makes the “Refresh” header different is small, but can be crucial. Fraudsters know that anti-Phishing vendors use automated analysis tools to detect and alert of new Phishing attacks. One of the main ways for automated tools to communicate with external websites is a library and tool called CURL. If told to do so, when a 3xx status is provided along with a “Location” header, CURL follows the redirection. However, when a “Refresh” header is provided along with a 200 OK status code, CURL would not follow the redirection by default, even if it was told to do so. This innovation does not pose a new threat to potential victims of Phishing, in reality they’ll never know the difference, but instead it is used as a method to avoid detection of Phishing sites. Companies which monitor Phishing attacks need to ensure that the “Refresh” redirection is supported by their systems.