Phish Uses Redirects on Legitimate Web Sites

Here are two examples from the same phishing campaign. One links to the legitimate Booking.com web site and one links to the legitimate JudicialWatch.org web site. I believe these subdomains normally contain some sort of user profiles, which means the hacker would create or gain control of existing user profiles on these web sites, create the redirector, making them public, then creating the phishing emails linking to them. I could be wrong on how this is done but this is what I believe.

Booking.com hosted phish redirect. Note the domain [in brackets] the email security
system adds to the rewritten link showing where it actually leads to.
Judicialwatch.org hosted redirect phish. Note the domain shown [in brackets] the email security
system adds showing where the link leads to. Note the subdomain of myjw.pr.judicialwatch.org.
I would think “myjw” stands for “My JudicialWatch”.

I have informed Judicial Watch of this phishing redirect on their web site. I do not see an option at Booking.com to contact them.

–Matt

Leave a Reply

Your email address will not be published. Required fields are marked *