In this post, Security Ledger contributor Or Katz of Akamai provides details of how malicious actors are abusing redirect vulnerabilities in popular web sites to boost the reputation of malicious sites they control. One recent attack involved the compromise of some 4,000 vulnerable web applications for the purpose of pumping up the search engine ranking of more than 10,000 malicious web sites, Katz reveals.
Akamai’s globally-distributed Intelligent Platform allows us to gather and analyze big data on many Internet metrics and traffic patterns across leading web properties and digital media providers. This capability allows us to identify trends over time that can only be achieved with a high level of visibility. As a result, we have seen a significant and recurring web security problem in the form of attacks abusing open redirect vulnerabilities on websites of high search engine ranking.
The problem has continued for years, as is shown in an excerpt from a Google Webmaster Central blog post of five years ago:
“Webmasters face a number of situations where it’s helpful to redirect users to another page. Unfortunately, redirects left open to any arbitrary destination can be abused. This is a particularly onerous form of abuse because it takes advantage of your site’s functionality rather than exploiting a simple bug or security flaw. Spammers hope to use your domain as a temporary “landing page” to trick email users, searchers and search engines into following links which appear to be pointing to your site, but actually redirect to their spammy site.”
The continued use of search engine optimization (SEO) attacks on open redirects is proof that closing these vulnerabilities has not been a priority of site owners and the security community. Unfortunately, the result is that malicious SEO campaigns continue to make use of open redirects on high-profile websites.
The Internet security community and network administrators have a real interest in eliminating these vulnerabilities and protecting users and site owners.
How SEO redirect attacks work
Search engine optimization ranking algorithms apply multiple criteria in determining the rank of a web page. One criterion is the reputation of a redirecting site. A redirection from a site with a good reputation will improve the reputation of any site it redirects to – including a malicious web site. That is the key attraction of open redirect vulnerabilities to those operating SEO attack campaigns.
[Read more Security Ledger coverage of SEO attacks here.]
When attackers use open redirects for web page hijacking they typically redirect the web page visitor to a different site that infects the user’s device (PC, smart phone, etc.) with malware. Redirect sites are also used to phishing for user credentials – the first step in identity theft attacks. They can also be used to blackmail or extort the operators of the vulnerable website.
A Big Data analysis of an SEO attack
Akamai’s threat research team recently observed an orchestrated and distributed link-based SEO attack campaign that abused thousands of web applications through open redirect vulnerabilities. The attackers manipulated search engine page ranking in the same way discussed in the Google blog. Our research sheds light on the distribution and magnitude of these SEO attacks.
Methods: The attackers launched two different types of attacks that abuse open redirect vulnerabilities The first type of attack attempts to improve the reputation of a malicious site by taking advantage of a vulnerable web application’s positive reputation. In this attack, traffic is redirected by a vulnerable web application with high-ranking to elevate the ranking of the malicious site. The second type of attack tries to degrade the reputation of a vulnerable web application by creating links that redirect users and search engines to a site with a poor reputation. This technique is known as a link-based negative SEO attack. The motive for such an attack could come from a competitor who may want to degrade the ranking of the vulnerable site , causing it to be filtered out by search engines.
Sources: An analysis of the source IP addresses used by the attacker in this case study shows that the attacks came from all around the world and from various types of Internet sources including anonymous proxies, open virtual private networks (VPNs) and cloud services infrastructures. A close analysis of HTTP header signatures, web clients and other evidence from Akamai’s big data platform shows a clear indication that all source IP addresses were controlled by a single attacker or attacking organization. In other words, the attack was a distributed campaign that utilized a variety of Internet sources to make the detection and mitigation of the attack more complex.
Fast facts: Here are some relevant statistics about the attack:
- More than 4,000 unique and vulnerable web applications were leveraged for the purpose of this SEO attack
- The attacker tried to manipulate the page ranking of more than 10,000 malicious sites
- More than 3,400 unique IP addresses were used as the source of this attack campaign
- The attack lasted at least 30 days
- Approximately 40 percent of attack sources were using HTTP proxies to mask their true identity
Security community action is needed
The open redirect vulnerability attack is a significant problem for web security that is not getting the attention it deserves. Although it appears as the last entry in the Top 10 2013 document of the Open Web Application Security Project (OWASP), its potential impact and its use by malicious actors is underestimated.
Our research shows that open redirect vulnerabilities are frequently left unpatched on major sites across the Internet, and these vulnerabilities are being exploited extensively by malicious actors and organizations.
Furthermore, while web application firewalls (WAFs) may block open redirect attacks and provide local protection, they do not provide wide visibility and intelligence into the nature of these attacks and their magnitude.
In the absence of a concerted effort by the security community to understand these attacks, the following important questions are being left unanswered for each attack:
- Who is attacking? Is it a single person or a distributed organization?
- Is the attack aimed at a single victim? Or is this an internet-wide phenomena?
- What is the attacker trying to achieve?
- How do we stop this attack if it morphs and changes sources and methods?
We recommend the following community actions be taken to address the problem of SEO attacks by open redirect vulnerabilities:
- Establish a benchmark to identify the current situation across the Internet and to measure the progress of clean-up efforts
- Institute local WAF rules and validate redirects against authorized redirections (i.e., a database) before sending the redirect 302 HTTP code
Stopping a single attack with a WAF is nice, but we want to win the cyber war against open redirect attacks. Engaging the security community in this issue is critical to winning the war.