This week I noticed a report on how malware could be downloaded and installed using an Open Redirect from Cisco.
Lets first define what an Open Redirect is.
An open redirect is when a legitimate site allows unauthorized users to create URLs on that site to redirect visitors to other sites. For example, Google has an open redirect at the URL
This can be used by anyone, including attackers, to redirect a visitor through Google’s site to another site.
I tested this with the following URL’s, which worked:
This hack that came to light when joining a Cisco WebEx meeting via an emailed invite. This seems to require a specifically crafted URL to work. However, when joining a WebEx session, it is not unusual to be asked to run a temporary application in order to participate in the shared content. This is the same for a lot of the other video conferencing services since you need to connect to the service offered by the conferencing site, which is always customised to their branding. The hacked Cisco redirect in question asked you to install an app ‘webex.exe’, which is not the default viewer for WebEx. However, as a casual user, how are you going to know this?
The hack using Cisco’s service downloaded a malware installer and it is not inconceivable that cyber criminals could use the Google service above (or any other similar service) to perform the same task. While I have not tested this, I would hope that Google are scanning the redirected URL for malware before executing it.
My usual advice when receiving unsolicited emails is not to click on any links in the email unless you fully trust them. If I saw the Cisco link, I would probably trust it since I use WebEx to join public sessions all the time.
However, now my advice changes to inspecting any redirects that exist in the URL before you click on a link, even from a trusted supplier.
This is a tactic that could be used by attackers using Social Engineering techniques to trick you into clicking on a malicious link.
How do I defend against this?
TIP 1: I suggest you read through my blog on defending against social engineering attacks as well as the Link Tracking blog since this is another trick that can be employed to direct you to a malicious website.
TIP 2: The standing advice still stands regarding inspecting the link in emails before you click. If you are on a:
- desktop PC, hover your mouse over the link and view the link in the status bar (you may need to enable the status bar in the settings for the browser)
- mobile device, long pressing the link should bring up a dialog showing the full URL (certainly the case for Android 9, may work for IoS).
TIP 3: When you receive an unsolicited email/IM check the source. Often there is a means to expand the header in an email to see the full source email address. If it is unknown to you, or looks like a spoofed email address, then delete the message. A spoofed email address could look like the following:
If you try the link above, it wont exist – I can pretty much guarantee I won’t be using this type of redirect on my domain names since they are immediately suspicious. However, a lot of companies do, so be aware. Also, look at my blog on Domain Typo Squatting for additional info on how you can be tricked into believing a domain name is legitimate.
TIP 4: A very useful service called Virus Total can inspect any URL you give it against a large number of Anti-Virus solutions (e.g. Kaspersky, BitDefender).
Copy the URL out of the message and paste it into this website to see what comes back. If any results come back with a result other than ‘Clean’, then you know something is very wrong with the URL. However, I have seen false positives with this service as they are only as good as the underlying AV engines. Virus Total can also scan files.
TIP 5: Enable your Anti-Virus to scan any URL’s you visit via your web browser. This is often enabled by default, but in some cases you need to buy an additional component, pay for the full commercial version of the software or install a browser addon. Free versions of AV solutions will only provide basic protection. However, if you are on Windows, the default Windows Security service will enable ‘Windows Defender Smart Screen’ by default which scans URL’s using the Edge browser as well as downloaded files.
TIP 6: Shortened URL’s are the bain of the web. For example:
The above link goes to this websites home page, but just looking at it you can’t tell this. If this is also in a redirect, you have no chance of detecting whether or not it is malicious. However, Virus Total will help you out here. You can also paste the shortened link into service that expands it to the full URL, however the one I would recommend seems to have gone offline – I will look into providing another service and update as soon as I can.
URL shortening is widely used, especially on Twitter, so be aware of this when you see them. In Twitter you don’t have much choice since this is also a way for the service to gather analytics which the poster cannot turn off.
TIP 7: Relying on AV software to catch everything is not recommended, and should be considered a last resort. Better to engage brain before you click on that link.
TIP 8: Perform regular Anti-Virus scans using the service you have installed on your device. These can often be automated to occur every day, or every week, at a time when you are not likely to use the device.
I hope this has raised awareness of another trick hackers can use to trick you into installing malware, or executing another form of social engineering attack. I hope Cisco review their open redirect service and restrict it in some way. I also hope other providers of similar services also do the same.
In all cases it is best to engage brain before you click on any link received via a messaging service (email, IM, etc.).
If you are interested in the specifics about the Cisco based hack, take a look at this Bleeping Computer article.
If you have been tricked into installing the webex.exe download, then you are advised to Scan your device using your AV software on the highest/most sensitive setting. Also, you should suspect that any logins/passwords stored by your browser (specifically Chrome and FireFox) are compromised and reset all the passwords immediately.