Open Redirect for Phishing
How attackers leverage open redirects on legitimate websites to bypass phishing defenses - and why domain reputation alone is not enough.
Setting the stage
Phishing, long neglected, is now at the heart of everyone’s minds. It has renewed itself in recent years both on the attacker and defender side.
Methods are evolving rapidly, as are defensive tools. In recent years, we have seen solutions move from classic Bayesian filters to so-called artificial intelligence solutions, without massive changes in terms of detection. Meanwhile, the cost of phishing has exploded year after year.
I will present here a rather unknown but simple and particularly effective method against security systems based on the “quality” of a domain and on known threats through open databases. Quality is typically measured by calculating domain age, domain authority and so on.
What is an Open Redirect?
We often encounter Open Redirects when we talk about web exploitation, during an audit or a pentest. Very often, it is caused by a lack of input sanitization - so it often happens that the same parameter is also vulnerable to XSS, or even SSRF.
Often considered a minor issue in terms of pure security, the last few years have shown that it can be a major problem in terms of phishing and SEO poisoning.
Here is a simple definition:
An Open Redirect is an unwanted redirection, without user interaction, from site A to site B.
And because nothing beats an example, here is an OR that I found at the time:
https://www.notamweb.aviation-civile.gouv.fr/Script/IHM/Com_Chargement.php?URL=https://google.fr/humans.txtThanks to the Direction Generale de l’Aviation Civile for the involuntary collaboration with this article. Well done for having patched it quickly.
If you take this link and click on it, you get redirected to the Google site without your consent, when you were supposed to click on a civil aviation link. That is an OR.
Open Redirect and Phishing
You should see where this is going. With an OR on site A - a respectable, credible site with real activity - and site B being a malicious, recent phishing website, we can bypass defensive services.
If, for example, you were thinking of implementing a domain age system to combat spam and phishing, know that you should also check the redirect chain. If you classically extract the domain value in an OR case, the extracted domain will be domain A and not the malicious domain B.
Let’s take a concrete example with a real phishing page from an ongoing campaign (at the time of writing):
This is clearly a phishing page, styled to look like Amazon because I chose Amazon via the GET logo parameter. This campaign did not only target Amazon but also french companies.
For reference, the malicious URL is:
https://busysong.com/sf/tpl9/0?click_id=&item=J9N&logo=amazon&pub_id=&session_id=I tested it on urlscan.io:
And on isitphishing.ai from Vade:
At the time, this was not yet detected by this solution - but the overall idea is clear. We have an obvious phishing page with a bad domain.
The bypass in action
Now let’s take an OR used by an ongoing phishing campaign, combined with the phishing URL above:
http://social.bigpress.net/api/emailtrack/click?goto=https://busysong.com/sf/tpl9/0?click_id=&item=J9N&logo=amazon&pub_id=&session_id=Both links point to the same phishing page. But in the second case, the OR causes standard URL parsing to consider the domain as bigpress.net and not the actual destination busysong.com.
Here is a quick experiment using Python’s urllib library to extract the domain value:
The parsing returns bigpress.net - a legitimate domain - while the user actually ends up on the phishing page.
Takeaways
- Domain reputation alone is not a reliable defense against phishing
- Open Redirects on legitimate websites give attackers a free pass through domain-based filters
- Any URL parsing that does not follow redirect chains can be fooled
- This method can be combined with other techniques (HTML link disguise, URL shorteners) for even better evasion
The fix is straightforward: sanitize redirect parameters, validate destination URLs against a whitelist, and make sure your phishing defenses inspect the full redirect chain - not just the first domain.