Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
Google then spits back a response with the redirect target in both
JavaScript and non-JavaScript forms (meta refresh tag):
https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
Slightly different response behavior this time, but ultimately
redirects the victim to the malicious destination. The effective
destination in this case has been taken down, but I'll avoid putting
the full link.
Unfortunately, there didn't seem to be any rules that would help catch
this. I have a couple thoughts on some that I would need to test, but
wanted to share to the community.
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
Google then spits back a response with the redirect target in both
JavaScript and non-JavaScript forms (meta refresh tag):
https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
Slightly different response behavior this time, but ultimately
redirects the victim to the malicious destination. The effective
destination in this case has been taken down, but I'll avoid putting
the full link.
Unfortunately, there didn't seem to be any rules that would help catch
this. I have a couple thoughts on some that I would need to test, but
wanted to share to the community.