Arbor Networks: Security to the Core

I got an interesting phish this morning for Amazon. What makes it interesting is that it uses not one but two different redirectors, one from Yahoo! and one from Google, and then what appears to be a bot in Chinese IP space before it finally lands on the phishing site. The URL in the mail and a simple representation are shown below.

People do this to avoid simple URL filters that don’t look beyond the first host. In that case, they’ll see “rds.yahoo.com”. Some of the smarter ones may see that the Yahoo! site is redirecting to a Google site and still pass it; Yahoo! tends to use a lot of internal redirections for their web-content via RSS, so it makes sense that some people have started to look at where the Yahoo! redirect goes. In this case it goes somewhere benign (at first), Google, so a simple checker would allow it. The third stage of the phish lands on a bot in China, which itself has a simple meta refresh to the ultimate destination.

Not terribly scary, but it does mean that if you analyze URLs for a living, you have to really follow the whole path. Scammers and other folks are abusing these open redirectors to their benefit, and your tools need to adapt. More importantly, people hosting open redirectors need to respond, as well. Remember, we went through this sort of thing before: whitelists are preferred over blacklists, and check all input for conformance to your standard. No sense being a party to a problem when you can do something about it.

I have a whole host of phishing mails that showcase various techniques used by scammers in a Phishing Corpus set I maintain. You can study these for any good, upstanding purpose, such as writing a better phish detector.

This entry was posted on Tuesday, September 19th, 2006 at 10:35 am and is filed under Arbor Networks, Forensics, Phishing, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.