Stealthy techniques in driving malicious activities
Meta refresh is an HTML tag that allows developer to automatically redirect a web page to a different URL after a specified time delay. Meta refresh is often used for automatically redirecting users to a new page or website after a certain period of time, implementing page reload functionality, such as refreshing a page every few seconds. The basic syntax for the meta refresh tag is:
<meta http-equiv="refresh" content="[delay];url=[new_url]">
[delay] is the number of seconds to wait before redirecting the page.
[new_url] is the URL that the page will be redirected to.
However, it can be used for carrying out cyber attack.
Phishing
Attackers can inject a meta refresh tag into a legitimate website (if it's vulnerable) or send a phishing email with a malicious link. The tag redirects the user to a fake website designed to steal credentials or deliver malware.
Real-life attack chain is illustrated below:
Watering Hole Attacks
A meta refresh tag could redirect users from a compromised, trusted website to a malicious one hosting exploit kits or malware.
Bypassing security mechanism
Content Injection: Attackers might use meta refresh to inject malicious content after a short delay. This can bypass security filters that only scan the initial page load.
Clickjacking Redirects: Combined with other techniques, meta refresh can be used to redirect users to unintended destinations after a seemingly harmless action, like clicking a button.
Denial of Service (DoS)
Rapid Refresh Loops: Setting an extremely short refresh interval (e.g., 0 seconds) can force continuous page reloads, consuming server resources and potentially making the website unavailable to legitimate users.