Updated An open redirect on a UK council-backed property website allowed low-level miscreants to evade filters.
The website operated by tech services biz Civica had an open redirect being actively abused by spammers, piggybacking off the website's domain authority so their messages weren't flagged up by scanning tools.
Fortuitously, one of the spam emails that bounced through the Homes4Wiltshire website ended up in the mailbox of ethical hacker Scott Helme, who was intrigued enough to track down how it had got through his defences.
The message itself was a Royal Mail-themed spam campaign urging Helme to pay for a delivery – a very familiar scam from the past couple of years. On clicking the "proceed now" button in the email, he saw it linked to Homes4Wiltshire's website – and traced the full number of hops back to a domain called package-royamail[.]co[.]uk. (Did you spot the missing L? Plenty wouldn't have.)
Helme blogged about his detective work tracking down the root cause of the redirect, which he attributed to a configuration problem in a web app deployed by Civica to its customers' websites. Some brief Google-enabled sleuthing helped him find other domains using the same unique
Open redirects exist when parameters passed in an HTTP GET request redirect the user to another URL without validating the target address. Trustwave has a blog post with more detail about the flaw, noting it tends to get little attention these days as it doesn't expose user data or pose an immediate threat to the website operator.
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
- Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks
- Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally
- Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware
"The reason these open redirects are useful is that they add legitimacy to the URL in the email itself which helps it to bypass spam filters," noted Helme.
Spam emails sent with links to recently spun-up domains are likely to be caught by spam filters, whereas using open redirects on well-established sites for bouncing users through a few sites until they end up on a phishing page means the odds of the message being filtered out are much lower.
Open redirects can also affect a domain name's reputation, potentially up to and including creating problems for legitimate emails sent by legitimate users. Many, however, are legitimate: anyone who has ever clicked a link in a genuine marketing email and seen their browser rapidly flick through different domains before landing on the promised one will have seen the click-tracking technique at work.
We have contacted Civica, operator of the Homes4Wiltshire website, and will update this article if we hear back. We understand that the open redirect has been closed off.
Microsoft has previously warned of credential-phishing campaigns abusing open redirect vulnerabilities to get through spam filters. ®
Updated to add at 08:43 UTC on 14 September 2021:
A Civica spokesperson said: "We recently became aware of an issue relating to the website of one of our customers. We investigated and took immediate steps to rectify the matter, working closely with the customer.
"As a company, we have a strong track record in delivering robust security for all our customers, which is something we always take seriously."