Domain rotation, redirection, and load balancing

Summary

To maximise the lifespan of a malicious domain, attackers use domain rotation, redirection, and load balancing to deliver different domains to recipients using a single URL. This is achieved by:

• Redirecting through trusted sites or sites that are typically excluded from URL blocklists or scanning tools
• Using several redirections before serving the malicious page to break referrer-based checks that are common in proxy solutions and prevent the initial URLs seeded out from being discovered
• Using load balancing to serve different phishing domains to victims, continually refreshing the pool of phishing URLs

By obfuscating the initial URL delivered to victims, and both masking and rotating the phishing URLs, it is much harder for organizations to blocklist known-bad sites effectively.

Examples

• Example 1: NakedPages load balancing — The NakedPages AitM kit retrieves a new URL along with a suitable JWT authentication parameter. Automating the request brought back around 20 different primary domains used for the final phishing attack. These domains are rotated over time as some are blocked and new ones are created.
• Example 2: Using server-side redirects — Researchers observed large-scale phishing campaigns using a refresh entry in the HTTP response header, which directs the browser to automatically refresh or reload a page without requiring user interaction, loading one of several randomized phishing domains.
• Example 3: AitM phishing infrastructure using several redirects — Researchers identified phishing infrastructure using several rounds of redirects through legitimate domains (including security providers) and various Azure FD hosted domains before serving up the malicious page.
• Example 4: Using screening “gate” pages before serving malicious pages — Using a separate page with [conditional loading] checks before serving the malicious page.
• Example 5: Using ADFS to redirect Microsoft links to a phishing URL — This attack combines malvertising with Microsoft-hosted phishing links via ADFS, where Microsoft effectively performs an open redirect to the phishing page from a legitimate office.outlook.com link.