At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Functionality Misuse from Multiple Legitimate Company Websites is the Latest Example of ‘Site Hopping’

    A new technique is becoming increasingly common as a way to bypass security scanners. The challenge is that the specific execution is constantly evolving, making it difficult to detect, but not impossible to spot.

    In an earlier time when trains served as the primary mode of long-distance transportation, individuals without tickets would often run alongside moving trains and hop onto the last train car to hitch a ride until it suited their needs. They would then transition to the next train and repeat the process until they reached their desired destination. This practice – called “train hopping” –  constituted the misuse of a legitimate service, serving the interests of the ‘traveler’ as long as it met their needs.

    I’ve noticed a similarity concerning cyber attacks, where legitimate web services are momentarily misused within a cyber attack. As a result, I’ve decided to introduce my very first cybersecurity term – ‘site hopping.’ This term describes when an attacker exploits a website’s legitimate functions to obscure the final web destination to which victims of a phishing scam are directed.

    We’ve recently observed several examples of this, including the misuse of the Salesforce website. The objectives of site hopping seem to be twofold: either to take advantage of the ‘hopped’ site’s legitimacy or to exploit the site’s technology in a way that hinders security solutions from effectively performing their tasks.

    While I don’t know if it will take off beyond this blog, you heard it here first!

    While writing an article about the recent increases in phishing attacks based on cybersecurity vendor VadeSecure’s Q3 2023 Phishing and Malware Report, I came across yet another example of site hopping involving both the website of Chinese internet technology company Baidu and the website security company Cloudflare.

    According to the report, the site hopping is super simple, but effective. Initially, the attack misuses a redirect function built into the Baidu website. Phishing scammers would initially point a malicious link within an email to the Baidu website’s redirect link (to establish legitimacy with scanners) that then site hop to Cloudflare, where an impersonated Microsoft 365 login page is being hosted. Cloudflare’s antibot functionality is taken advantage of to keep out security scanning solutions.

    This use of site hopping is designed to render security solutions somewhat useless, leaving your users to be the final layer of security. But those users will only help to stop attacks if they remain vigilant when interacting with email and the web – something taught through continual security awareness training.

    KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top