Recently, a new technique for bypassing security scanners has been increasingly used, namely “site hopping”. This technology is subject to constant development, which makes it more difficult to detect, but not impossible.
Historically, there have been similar phenomena to jumping on trains. People without a ticket took the opportunity to walk alongside moving trains and jump into the last carriage that suited their needs in order to travel. This practice constituted an abuse of a legitimate service as long as it met travel needs.
It is striking how parallels emerge between such historical phenomena and cyberattacks, in which legitimate web services are temporarily exploited for attacks. This has led to the introduction of a new term in cybersecurity, namely “site hopping”. This term describes situations in which attackers use the features of various websites to disguise their true intentions and redirect victims of phishing scams to other targets.
Examples of site hopping
Some examples of site hopping have already occurred, such as the abuse of the Salesforce website. The attackers apparently have two goals: exploiting the legitimacy of the affected website or disrupting the security systems in order to impair their functions. Another example of site hopping is the Baidu website and security company Cloudflare, according to cybersecurity provider VadeSecure's Q3 2023 Phishing and Malware Report. The latest attack first abused the Baidu website redirect function by pointing a malicious link to the Baidu website redirect link in an email to feign legitimacy. This was followed by a jump to Cloudflare, where a fake Microsoft 365 login page was hosted. Cloudflare's antibot functionality was used to trick security scanners.
The method aims to bypass security solutions, meaning internet users' attention and awareness are crucial to preventing attacks. Fake websites, like in the example mentioned, must be recognized by users in order to prevent attacks such as so-called site hopping. Continuous security awareness training with modern and varied content can help raise users' awareness of these risks.
More at KnowBe4.com
About KnowBe4 KnowBe4, provider of the world's largest platform for security awareness training and simulated phishing, is used by more than 60.000 companies around the world. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new approach to security education. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped develop the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.