Outbreak Name: Open URL Redirect

Outbreak Date: 03-07-2008

URL Redirection Used to Conduct Spam Attacks

Ourbreak Description

IronPort has identified (and continues to block and monitor) spam using legitimate URLs to direct viewers to spam sites. The most recent attacks utilize functions on Google, Yahoo! and AOL to send spam with a single URL in the body of the message. This type of spam contains a single specially-crafted URL that both appears and links to a legitimate website. However, these websites will automatically forward the viewer to the spammed site through techniques called an "Open Redirect" or an "Unprotected forwarder."

Spammers are also using the Google "I'm Feeling Lucky" function to redirect viewers to a spammed site. By crafting the URL contained in the message to include the "I'm Feeling Lucky" feature on Google's search engine, the viewer is automatically redirected to the spam target site.

This technique has also been used on Yahoo and AOL open redirects and is steadily growing in frequency over the past two months:

  • ~1% of all spam contains this type of attack
  • This attack technique is rising steadily
  • An attacker could use this technique to direct the end-user to a malware laden site

Both the IronPort email security appliance and Web security appliance block these risks and protect our customers from these types of social engineering attacks.

Outbreak Example

An email will arrive that contains a legitimate looking URL. This URL will contain special parameters that allow the viewer to be automatically redirected to a third-party site when the URL is clicked.

Open URL Redirect Expample

Outbreak Protection

Email that is managed by IronPort, and end-users protected by IronPort Web security appliances will not be impacted by these attacks. IronPort appliances are automatically updated to prevent both spam email and hostile Web URLs from being passed to the end-user.

It is possible spammers will move from using these techniques to drive traffic to spam sites to using the same methods to deliver malware to end-users.

IronPort will continue to monitor these techniques, automatically adapt our systems to protect our customers and update this report if there are significant changes or if the risk to end-users increases.

IronPort's anti-spam solutions protect customers from spam more accurately and quickly than any other anti-spam offering. IronPort Reputation Filters are combined with content level analysis and IronPort Anti-Spam™, to protect customers from an industry best 98% of spam with near-zero false positives.

To stop outbreaks in near real time, IronPort uses a unique combination of automated machine generated rules and human oversight with its 24x7 Threat Operations Center. IronPort achieves world-class accuracy by analyzing messages on over 200 different parameters including structure, content, sender reputation, URL reputation and patent-pending Multidimensional Pattern Recognition image analysis technology.