Dangerous Redirects - Kraken Phishing Analysis
Published: August 19, 2016 2:35 pm
I originally published this in 2016 on a different website under a pseudonym. Apart from some spelling corrections, this has been republished verbatim.
The Bitcoin exchange, Kraken, issued a warning on its blog[1], regarding various phishing attacks that have caused some accounts to lose their Bitcoin.
I decided to do some research into how this could have happened as my previous knowledge of advert networks say that this isn’t possible otherwise it would be much more commonplace.
Display vs Destination URLs
The advert display networks allow you to customize[2] the ‘Display URL’ vs the ‘Destination URL’.
The Display URL is what the user will see and the Destination URL is where the advert will take the user when clicked.
This is allowed because some websites have user-unfriendly URL’s. There are limitations; the Display URL root domain must match the Destination URL root domain. For example:
Approved URL Customisations
| Display URL | Destination URL |
|---|---|
| Paulhempshall.com | https://www.paulhempshall.com/signup?adref=gadws_campaign1 |
| SignUp.Paulhempshall.com | https://www.paulhempshall.com/signup?adref=gadws_campaign2 |
| Paulhempshall.com/Signup | https://signup.paulhempshall.com |
Unapproved URL Customisations
| Display URL | Destination URL |
|---|---|
| Paulhempshall.com | https://paulhempshall.uk/join |
| SignUp.Paulhempshall.com | https://paulhempshall.co.uk/signup/ |
| Paulhempshall.com/Signup | https://signup.paulhempshall.co.uk |
The Attack
This is a very interesting and more sophisticated phishing attack in that the attackers seem to have utilized a possible open redirect flaw[3] in the Kraken website to bypass anti-phishing mechanisms on the Google, Bing and Yahoo advert display network.
Kraken has yet to confirm whether this is the case or how it happened but testing the redirect feature ( https://www.kraken.com/redirect?url=INSERT_URL_HERE) after the event seems to throw a few errors ranging from generic 403 Forbidden messages to generic CloudFlare ‘You have been blocked’ messages. This leads me to believe this is a temporary “duct tape” solution to mitigate the issue.
Why do I believe it is a temporary “duct tape” solution? Because of the generic standard errors that it produces. If the attack vector was considered at the beginning then usually a more user-friendly approach is taken; such as a custom error message with company branding. This is only an assumption on my part but is assumed because of other user-friendly error messages that the site is using.
However, the phishing site has an interesting string in the URL (highlighted in green). This correlates to the same redirect feature on the official website and previous knowledge of other websites that have these vulnerabilities has shown me that the query string or other data from the original tend to be passed to the destination, such as source along with other necessary parameters.
No evidence of Kraken itself being hacked.
Unless the attacker found a flaw in Google, Yahoo and Bing then the only thing that would allow Display URL’s with the Kraken domain would be a redirect exploit on one of the kraken.com domain names.
One thing to be aware of now is to not trust advert links, skip the adverts in search engines, and only use known links to websites.