Most of the time two types of redirectors are used. iframe redirects and open redirectors.
iframe redirectorsiframe redirectors have been used a great deal over the past few years. Malicious groups will compromise a site and place an iframe html tag onto the page with a source attribute of a malicious Web site. Doing this automatically redirects the user to a location of the malicious attacker's choice.
Figure 1: iframe redirector example
Even more popular is the use of open redirectors. Open redirectors are generally used for legitimate purposes by ad companies or large corporations to proxy URLs so that they can track where their users are coming from and where they are going. Unfortunately malicious groups can use these open redirectors and place any Web site they choose for the redirection to occur. From the user's standpoint, they might just be looking at the domain name, and not noticing variables in the query string that indicate that this is a redirection script.
Figure 2: open redirector example
Figure 3: Example spam using a link to a malicious SWF Flash file
This past week we published a blog on Malicious Viral Facebook spam. That same malicious group was also posting links to Flash files on Facebook walls.
Figure 4: Facebook wall spammed with link to malicious SWF flash file
Analysis of this SWF file with SWFDump indicates that some simple action script was used to basically redirect the user to a Web site that tried to gather personal information.
Figure 5: swfdump tool in action
Figure 6: swfdump tool run against malicious SWF Flash file
Writing action script to accomplish this is quite simple. The function navigateToURL is used to automatically redirect the user without any warning whatsoever.
Figure 7: Example ActionScript code of Flash redirector that redirects to websense.com domain
In this particular instance the Flash file led to a series of 302 redirects, ending on a fake love compatibility Web site that collected personal information.
Figure 8: Resulting Phishing page that users are automatically redirected to upon clicing on malicious Flash redirector
Security Researcher: Stephan Chenette