Why do compromised web sites often take you through multiple URL redirections?

There are actually two cases here:

A site which is serving malicious ads (Malvertising)

In this case the attacker does not compromise the site itself but is misusing targeted ads to select the victim based on its specific capabilities (browser, OS, geolocation,...) and attack it. Due to the way targeted ad delivery works it uses a lot of redirect between various sites, i.e. the majority of redirects are not for malware delivery but part of the usual ad delivery process. See for example How real time ad serving works for more information. There might be some malware specific redirects at the last stages for the same reasons as described for the second case below.

A site which has been compromised by an attacker

In this case the visited site is compromised by an attacker. The attacker will usually only put some minimal redirect onto the compromised site for the following reasons:

  • Harder to detect
    If only some redirect code is installed and not the malicious payload the chance is higher that the compromise will stay longer undetected by the owner.
  • Protect the malware from researchers
    The malware is precious for the attacker. If some security company would get hands on all the malicious code when cleaning the compromised site and could analyze it and thus add protections for their customers, thus making the malware less valuable suddenly.
  • Increased flexibility in updating malware
    If the malware gets detected by security systems the attacker needs to install the next version. Also, the malware might not be owned by the attacker itself but one attacker might just redirect the victim to another attacker which develops and hosts the (always up-to-date). Both attackers share then the profit (i.e. kind of franchising).
  • Protection against takedowns
    By using redirects the attacker can build a more flexible infrastructure which is more robust against takedowns or blacklisting.

A common technique that is used by the attackers to avoid detection, is to obfuscate the source from where the malware was downloaded by using a series of web redirections. Attackers can use the legitimate "302 Found" response to create a series of web redirections before the victim’s browser is finally redirected to the page that delivers the exploit to the victim's machine. These intermediate web sites are also known as gates. The URL of these gates changes frequently, like every half-hour or so, to deprive security researchers the time to gather enough information to come up with meaningful attack analysis. The use of the gates also adds extra layers which makes it harder to determine the source of the malware. Using HTTP 302 redirections also eliminates the need for iFrames or external scripts because HTTP 302 redirections are less likely to raise suspicions as compared to hidden iFrames or external scripts.

Whether using an iFrame or HTTP 302 cushioning, the main goal of the attacker is to ensure the victim’s web browser ends up on the attacker's web page which serves out the malicious exploit to the victim.


I suspect it's so that you can't use the back button - clicking back will take you back one site, which will immediately redirect you forwards.

Tags:

Url Redirection

Related

Is it possible to find a buffer overflow in WordPress? What is the purpose of associated authenticated data in AEAD? Do SPF records apply to all subdomains? Oauth2 vs APIKey in a server to server communication What are the toughest SSH daemon settings in terms of encryption, handshake, or other cryptographic settings? Tons of vulnerabilities are found on tcp/0 port using vulnerability scanners Can you directly view a malicious PDF on Linux? Is there a security advantage or risk in removing disabled user accounts? My school wifi asks to 'trust' a certificate on Iphone's, does it this allow them to view SSL traffic? Protecting encrypted data in case of SQL injection Is a Windows installer that doesn't require admin rights dangerous? What is the risk of using http on an internal webserver?

Recent Posts