27

Quoted form my course instructor's lecture:

The following are the stages of a typical web attack: The victim visits a legitimate web site that has been compromised. The compromised web site redirects the victim to another site that is running malicious code that is controlled by the attacker. The redirection may go through various intermediary servers first.

I also faced the same issue. If I visit torrent sites and mistakenly or intentionally click on some links, it takes me to another site through various intermediary site. Why does it go through many site within a few seconds instead of only going to the last one directly? Whats is the benefit for the attacker?

again
  • 974
  • 8
  • 23

4 Answers4

31

There are actually two cases here:

A site which is serving malicious ads (Malvertising)

In this case the attacker does not compromise the site itself but is misusing targeted ads to select the victim based on its specific capabilities (browser, OS, geolocation,...) and attack it. Due to the way targeted ad delivery works it uses a lot of redirect between various sites, i.e. the majority of redirects are not for malware delivery but part of the usual ad delivery process. See for example How real time ad serving works for more information. There might be some malware specific redirects at the last stages for the same reasons as described for the second case below.

A site which has been compromised by an attacker

In this case the visited site is compromised by an attacker. The attacker will usually only put some minimal redirect onto the compromised site for the following reasons:

  • Harder to detect
    If only some redirect code is installed and not the malicious payload the chance is higher that the compromise will stay longer undetected by the owner.
  • Protect the malware from researchers
    The malware is precious for the attacker. If some security company would get hands on all the malicious code when cleaning the compromised site and could analyze it and thus add protections for their customers, thus making the malware less valuable suddenly.
  • Increased flexibility in updating malware
    If the malware gets detected by security systems the attacker needs to install the next version. Also, the malware might not be owned by the attacker itself but one attacker might just redirect the victim to another attacker which develops and hosts the (always up-to-date). Both attackers share then the profit (i.e. kind of franchising).
  • Protection against takedowns
    By using redirects the attacker can build a more flexible infrastructure which is more robust against takedowns or blacklisting.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
9

A common technique that is used by the attackers to avoid detection, is to obfuscate the source from where the malware was downloaded by using a series of web redirections. Attackers can use the legitimate "302 Found" response to create a series of web redirections before the victim’s browser is finally redirected to the page that delivers the exploit to the victim's machine. These intermediate web sites are also known as gates. The URL of these gates changes frequently, like every half-hour or so, to deprive security researchers the time to gather enough information to come up with meaningful attack analysis. The use of the gates also adds extra layers which makes it harder to determine the source of the malware. Using HTTP 302 redirections also eliminates the need for iFrames or external scripts because HTTP 302 redirections are less likely to raise suspicions as compared to hidden iFrames or external scripts.

Whether using an iFrame or HTTP 302 cushioning, the main goal of the attacker is to ensure the victim’s web browser ends up on the attacker's web page which serves out the malicious exploit to the victim.

Alex Probert
  • 493
  • 1
  • 3
  • 17
again
  • 974
  • 8
  • 23
5

I suspect it's so that you can't use the back button - clicking back will take you back one site, which will immediately redirect you forwards.

Douglas Leeder
  • 1,939
  • 14
  • 9
  • 1
    This is incorrect. The back button will bring you back to the last page that didn't give you a redirect. Just because you redirect several times does not mean your browser is treating it as you visiting multiple sites. After all, links in Google bring you through a redirect, but if you click back after you reach the destination, you're back at regular old Google. – forest Feb 09 '18 at 13:54
  • 12
    Surely it depends how the redirects are done? I doubt most attackers care too much about using the correct HTTP status codes, and multiple 200 redirects will break the back button for the average user. – JMK Feb 09 '18 at 13:59
  • 2
    @JMK: I don't think there is such a thing as "200 redirect". Sending a Location header with HTTP status code 200 will not result in the browser getting redirected. I've just tried this with Chrome and Firefox (beware when trying it yourself: servers like nginx might change the status HTTP code you are trying to explicitly set). But you might use other things like javascript based redirects, Refresh headers etc to fiddle with the history. – Steffen Ullrich Feb 09 '18 at 16:31
  • 8
    @forest have you really never been on a website where a redirect prevented you from navigating backwards with a single back button? I have seen this many times, even on legitimate websites. The best way I've found to navigate back is to hold down the back button and select the page I actually want to go to. – BlackThorn Feb 09 '18 at 17:10
  • 3
    @BlackThorn then they are using javascript `window.location.href` – cowbert Feb 09 '18 at 17:55
  • @SteffenUllrich Yeah you're right, I was more getting at the fact that there are lots of ways to redirect a user, that the browser will view as legitimate *page-change.* It makes sense for an attacker to want to render the browsers *Back* functionality useless. – JMK Feb 09 '18 at 22:12
  • @JMK But the types of redirects OP is talking about are not these JavaScript-based redirects, but proper HTTP status codes. They are far more common, so saying that you "suspect" the reason is to prevent you from using the back button is at best misleading. – forest Feb 10 '18 at 09:38
  • @BlackThorn Those are things like meta refreshes, not redirects. – forest Feb 10 '18 at 09:38
  • @forest: The OP does not specify how the site redirects to another site at all. While you might personally consider a HTTP level redirection as the only true redirection I don't think that this interpretation is shared universally. Many (including myself) would probably consider any forms of directing to another page (i.e. HTTP redirect, script based, Refresh header, meta refresh...) when talking about "redirect" unless it is explicitly called "HTTP redirect". – Steffen Ullrich Feb 10 '18 at 09:47
  • @SteffenUllrich Sure, but he asks why compromised sites so often use redirects. In my experience, the compromised sites I've seen which are involved in malvertising just use a bunch of HTTP redirects. Every once in a while I'll see JavaScript used, but those tend to be rare. As this answer is making the assumption that the redirect being talked about is not an HTTP redirect (without elaborating on that assumption), it's far closer to incorrect than to correct. It's a single sentence that makes an (incorrect) assumption regarding how common this type of redirect is, prefixed with "I suspect". – forest Feb 10 '18 at 09:51
  • @forest: what I see is both: HTTP redirects and also Javascript redirects. The latter often combined with some code which detects what kind of client this is and then puts these information into the new URL so that the server can serve the client-specific payload. – Steffen Ullrich Feb 10 '18 at 10:49
  • @SteffenUllrich I'd think the server would detect the type of client based on the client HTTP headers, and change the HTTP redirect accordingly (since it doesn't need to actually load a page to tell what client is being used). I suppose this might be necessary for more sophisticated client fingerprinting, but I haven't seen it all that often. – forest Feb 10 '18 at 10:51
  • @forest: a client side script might do more. It could check for client-side traces of a typical environment vs. researcher environment (like timing access to typically cached resources) or look for anomalies in the script interpretation which are typical for anti-malware sandboxes. Also, detecting the redirect-path if non-HTTP redirects are used is harder for anti-malware research and thus helps in hiding the attack. – Steffen Ullrich Feb 10 '18 at 10:56
  • @SteffenUllrich That's true. It's just not something I've seen very often. But than again I've seen far more unsophisticated malware than I have seen sophisticated malware (the type that actually does cache timing attacks to detect virtualization, etc). – forest Feb 10 '18 at 11:00
-4

A compromised website will NOT redirect you. What you are referring to is simply a 302 forward. Which means when you call my website.com I am telling the browser - oh we have moved to website2.com. That is the nature of http and it's necessary to be that way.

The spam / ad gen websites that 302 you are doing it for a different purpose. First, they do it for adviews, wait 5 seconds before I redirect you and watch this. Or they also do it very quickly, so you have been redirected within 10 websites in a few seconds before you land nowhere... that's usually to done to generate traffic on websites, increase ranking, improve SEO ... etc.

A compromised web site its a goldmine. Just like we recently heard that Adobe was compromised for certain people due to DNS manipulation and the hackers were serving infected flash installers etc. So if a website is compromised then the objective is to use its authority and trust people have to get you to run exe. But if I have compromised adobe or x website, why would I redirect you somewhere else? to lose your trust? Ofc it's always subjective on the motives but to have compromised a website and to simply use it to 302 is the stupidest thing I have ever heard.

JsEveryDay
  • 123
  • 3
  • 1
    It's the stupidest thing you have ever heard?! Why do people do it then? – wizzwizz4 Feb 10 '18 at 14:47
  • 1
    This is absolute nonsense. There are plenty of reasons to redirect. The most obvious one is to simply sell the redirect as if it was a banner click. Redirect to the advertiser's website, collect money. Very simple win. – Darren H Feb 10 '18 at 16:00