How Threat Actors Abuse Open Redirectors to Hide in Plain Sight
Read time: 6 minutesInna Vasilyeva, Manuel Caballero, Nico Agnese
If you’ve ever added a link to a tweet, you’ve used an open web redirector. An open web redirector is a URL hosted by the big platforms of the internet that redirects a user’s browser to a destination URL. They can be used to shorten links (for example, when a tweet has a maximum character count, or when the product link is too long to include in a text message).
These redirectors are called “open” because they don’t validate the request, they redirect any requesting user, to any provided URL.
Why Might Threat Actors Use Open Redirectors?
Threat actors use open web redirectors to hide the true source of a request. Ad fraud is all about arbitrage, getting cheap traffic, and rendering expensive ads on it.
Using open web redirectors, bad actors can buy low quality traffic from brand unsafe publishers (piracy, adult content, unwanted ads and others) and “launder” it.
A user will navigate from:
bad-pub.com -> open web redirector -> cash-out-pub.com
And since the redirector will replace the referrer with the name of the platform providing the open redirector and remove any indication of a step before the redirector, ads rendered on cash-out-pub.com will be reported as being run on organic traffic coming from the open redirector’s platform (generally search engines and social media platforms).
Let’s go over some real life examples of this abuse.
Google Open Redirector Abuse
A user visiting a low-quality website triggers a popunder, which we define as an unwanted new tab or window opened in the background when the user clicked some content in the website.
The new window in the background, loads the following URL:
https://whatyoucanread.com/Loading/?ho=zeusMain&visit-type=popads
Which returns no content, but does two things, sets a “user_mode:auto” cookie:
HTTP/1.1 307 Temporary Redirect
Date: Wed, 03 Feb 2024 19:53:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
set-cookie: user_mode=auto; expires=Thu, 03-Feb-2025 19:53:35 GMT; Max-Age=31536000; path=/
set-cookie: PHPSESSID=hforjl0bj79qp1d9hs58tsnnqo; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
location: https://www.google.com/url?sa=t&source=web&rct=j&url=https://whatyoucanread.com/&ved=2ahUKEwjDxNLhiffzAhVPzDgGHYcEBKIQFnoECAMQAQ&usg=AOvVaw1iCn3n6vlpdFDQFHPKl0-A
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AfhuvKSGyV7DzGU2MlrLGUWz%2FWgeQRpGZoYiS%2B95FzdWiibWshfayzWjTuyqUlbNp8y3j%2BRueiSH2O4CoMyI7hpc%2B3pEwmnoB1UEJ0zndfP3uWR1PKY6Or61Y%2FYg6EMGqE%2Fj%2BTk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86eb9b0c0a2409aa-MIA
alt-svc: h3=":443"; ma=86400
Content-Length: 0And it immediately redirects with a “307 Temporary Redirect” header to a Google-based open redirector URL.
Notice the url=https://whatyoucanread.com/ , this is the parameter that indicates to the open redirector where to take the browser next.
The open redirector returns HTML content as shown below (which was beautified for easier reading). It does not use a header redirection.
<html lang="es-419">
<head>
<meta content="origin" name="referrer">
<script nonce="IgIGyIOoYdei_jMUs_giPg">
window.google = {};
(function(){
var c=this||self;
var e=function(b){this.g=b};
e.prototype.toString=function(){
return this.g.toString()
};
var f = /^\s*(?!javascript:) (?:[a-z0-9+.-]+:|[^:\/?#]*(?:[\/?#]|$))/i;
c.google.navigateTo=function(b,d,a){
!/\/.*?[&?]gsc=1/.test(d.location.href) && b!==d &&
b.google?b.google.r && (b.google.r=0, b=b.location,
a instanceof e ? a=a instanceof e && a.constructor===e ? a.g :
"type_error:SafeUrl" : a=f.test(a) ? a : void 0,
void 0!==a&&(b.href=a),
d.location.replace("about:blank")) : d.location.replace(a)
};
}).call(this);
(function(){
var redirectUrl='https://whatyoucanread.com/';
google.navigateTo(parent,window,redirectUrl);
})();
</script>
<noscript>
<meta content="0;url=https://whatyoucanread.com/" http-equiv="refresh">
</noscript>
</head>
</html>The key here is the use of location.replace(), a JavaScript function that will replace the entry in the browser history related to the redirector itself, with the provided URL, producing a new request to that provided URL and loading that page.
After the above HTML is rendered in the background window of our imaginary user, the window will be navigated to whatyoucanread.com, and more importantly, the browser will send the request including a header:
referrer: https://www.google.com/Indicating that the previous content loaded in the browser was google.
When the browser renders the HTML page returned by whatyoucanread.com, it will expose the Google referrer through the DOM (Document Object Model) and JS engine. Javascript and assets loaded with that page will read the referrer stating that Google was the previous content loaded.
This is the key, that referrer will be read by multiple parties loaded with the content, like SSP Javascript, verification companies assets, content providers, advertising assets, etc. All and any of those reading the referrer properties will report the page impression as being preceded by google content.
The page impression will be reported as “organic search” traffic, when it was not. It was loaded by a popunder window, triggered from a low quality publisher.
X (formerly Twitter) Open Redirector Abuse
This example was also triggered by popunders. The user triggers the popunder and it will automatically start cycling through a number of cash out sites. On each redirection from one cash out domain to the next, it bounces the traffic in X redirector which seeds x.com as the referrer.
Navigation of the popunder new window is sent through X open redirector:
Which responds with content (again beautified for readability):
HTTP/1.1 200 OK
date: Wed, 27 Sep 2023 19:11:39 GMT
perf: 7626143928
vary: Origin
server: tsa_d
expires: Wed, 27 Sep 2023 19:16:39 GMT
set-cookie: muc=15a6895f-1e5a-47a8-b0dc-00e69001c423; Max-Age=63072000; Expires=Fri, 26 Sep 2025 19:11:39 GMT; Domain=t.co; Secure; SameSite=None
set-cookie: muc_ads=15a6895f-1e5a-47a8-b0dc-00e69001c423; Max-Age=63072000; Expires=Fri, 26 Sep 2025 19:11:39 GMT; Path=/; Domain=t.co; Secure; SameSite=None
content-type: text/html; charset=utf-8
cache-control: private,max-age=300
content-length: 441
x-transaction-id: 50f91cc21f0327b7
x-xss-protection: 0
strict-transport-security: max-age=0
x-response-time: 128
x-connection-hash: ae24738668dc349199dab4533c50c17e02dd2cf72f6bc855dda2dceba5e23666<head>
<noscript>
<META http-equiv="refresh" content="0;URL=https://themindfulwellbeing.com/relaxation-techniques-for-busy-individuals-quick-stress-relief/">
</noscript>
<title> https://themindfulwellbeing.com/relaxation-techniques-for-busy-individuals-quick-stress-relief/
</title>
</head>
<script>
window.opener = null;
location.replace("https:\/\/themindfulwellbeing.com\/relaxation-techniques-for-busy-individuals-quick-stress-relief\/")
</script>Similar to the Google case, location.replace is used to replace the redirector URL with the destination URL in the browser history and effectively navigate the user to the destination.
One difference from Google’s redirector is the use of:
window.opener=nullThis JS line removes any reference in the window opener variable, which sometimes reflects the fact that the current window was opened from some other window. Convenient and helpful to popup and popunder operators.
In this case the destination URL is NOT provided to the redirector via a parameter, but that does not make it harder to abuse.
The bad actor simply needs to post a tweet, send a DM or add the destination URL they want to redirect in an X account bio, and X will happily run it through their URL shortener and expose a redirector URL for it.
The destination URL in this case is again, a cash out site that will run in the background window for some time, and then start a redirection cycle that once more sends the traffic to another X redirector URL which sends the browser window to another cash out site.
This cycle will continue until the user closes the background browser window.
VKontakte Redirector Abuse
VKontakte—also known as VK—is a social media site based in Russia and catering largely to Russian-speaking users. Below is an example of an operation hiding the traffic source using an open redirector while directing end users from a brand unsafe domain (piracy) to a cash out domain rendering ads. This is a key component in the Scallywag operation, though the below example is not part of that operation.
The user’s path from piracy catalog site to cash out site includes a URL created through VK’s open redirector, which replaces the referrer header with its own, hiding their relationship between the piracy catalog site and the cash out domain.
The abused url is this one:
https://away.vk.com/away.php?rh=95d75923-9091-4b06-85fd-7e7c7d1e5285
Which responds with this content (again beautified for readability):
HTTP/1.1 200 OK
Server: kittenx
Date: Fri, 07 Jun 2024 15:32:07 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 645
Connection: keep-alive
X-Powered-By: KPHP/7.4.117050
Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
Set-Cookie: remixsec_redir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; domain=.vk.com
Set-Cookie: remixsec_redir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=away.vk.com
Set-Cookie: remixsec_redir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/
Cache-control: no-store
X-Frame-Options: DENY
X-Frontend: front656100
Access-Control-Expose-Headers: X-Frontend
X-Trace-Id: hgOOF86p_4jFSpxXemP-I8uPAUWp1A<meta name="referrer" content="origin" id="meta_referrer" />
<input id="redir" type="hidden" value="https://cyclingte.com/news/f62ffc79780320be36969f57177684b0/cascade" />
<script src="https://ad.mail.ru/static/sync-loader.js" nonce="" crossorigin="anonymous"></script>
<script>window.opener=null;window.location.replace(document.getElementById('redir').value);</script>
<noscript>
<META http-equiv="refresh" content="0;URL='https://cyclingte.com/news/f62ffc79780320be36969f57177684b0/cascade'"> <form action="https://cyclingte.com/news/f62ffc79780320be36969f57177684b0/cascade" method="POST">
<input type="submit" value="Continue" />
</form>
</noscript>Similarly to the X redirector, the redirection is done through the window.location.replace() Javascript function and the window.opener object is nullified.
When the redirection to the destination domain cyclingte.com (the cash out domain) is complete, the request will indicate a referrer value of vk.com.
Threat Models Abusing Redirectors
The above examples use pop ads and brand-unsafe websites as the initial vector.
But any threat model which arbitrages traffic from brand-unsafe sources could use open redirector abuse to mask the real source of the traffic driven to cash out sites.
Conclusions
If you are a campaign manager, don’t trust referrer reporting of your campaigns, as those can easily be manipulated to indicate traffic sourcing from search engines and social media platforms when the real sources are actually nefarious.
HUMAN customers can be protected from these threats through our advanced co-visitation techniques, which reveal the real sources of traffic and indirect relationships between domains even when direct evidence is unavailable or tampered.