Cybercriminals use reverse tunneling and URL shorteners to launch ‘virtually undetectable’ phishing campaigns
A new hacking technique allows threat actors to evade some of the most effective phishing countermeasures
A new way of conducting phishing attacks is being embraced by criminal groups – and it could make threat actors virtually undetectable, security researchers warn.
The technique involves using “reverse tunneling” services and URL shorteners to launch large-scale phishing attacks. Moreover, the groups using these techniques leave no trace.
Instead, hackers can use their local machines to host phishing pages on random URLs. These can help evade detection by URL analysis services. Groups can then hide their identity further using URL shortening services.
At the bottom of the hole
Attackers are not exploiting a vulnerability in the technical sense. Instead, they abuse legitimate out-of-the-box services to circumvent anti-phishing measures. Services associated with the technique include bit.ly, Ngrok, and Cloudflare’s Argo Tunnel.
The attack was detected by security researchers from CloudSEK, who discovered that the method was used to target customers of Indian banks.
Here, phishing attacks attempted to trick customers into handing over their bank details, Aadhaar (Indian national identity) number and other sensitive information.
CATCH UP Apple showcases next-gen security technology at WWDC 2022
“We discovered this when we were monitoring the internet for assets, impersonations and data related to our customers,” said Darshit Ashara, principal threat researcher at CloudSEK. The daily sip.
“During our regular research, we began noticing patterns of abuse of several reverse tunneling services.”
Although CloudSEK has detected phishing attempts against Indian bank customers, the technique has also been used in the US, UK and Europe.
“Reverse tunnel attacks have become quite common these days,” Ashara added. “The modus operandi of threat actors using reverse tunneling includes sending SMS spam with shortened phishing URLs using popular URL shortening services.
“We have observed this technique being used to target most major brands and organizations.”
The reverse tunneling and URL shortening attack in action (Image: CloudSEK)
Hiding in the shadows
Reverse tunnels allow criminal groups to evade some of the most effective countermeasures.
One of the ways phishing groups are caught is their reliance on hosting providers and their use of domains that CloudSEK says “impersonate targeted businesses or keywords.”
Even when there isn’t enough evidence for law enforcement to go after phishing groups, hosts will remove spoofed domains.
Learn about the latest infosec research from around the world
Using domains with “random or generic” keywords offers some protection to attackers, as they cannot be flagged for trademark infringement. But cybercriminals can use reverse tunnels to completely bypass hosting by storing phishing binaries on nothing more than a local PC.
Adding a URL shortener at the top makes it even harder to trace the attack and can make victims more likely to fall for scams. Add to that the fact that most reverse tunnel URLs are temporary – typically only running for 24 hours – and attribution and prosecution become even more difficult.
CloudSEK calls for better monitoring of reverse tunnel services. Ngrok, for example, now requires its users to disclose their IP addresses and register before hosting HTML content, while Cloudflare requires users to create an account.
URL shorteners are more difficult to monitor because there is no actual malicious activity: they simply redirect users to a website. CloudSEK admits, however, that attack discovery depends on third-party monitoring.
Targeted companies may then have to rely on user education to combat this attack vector.
“In fact, this is another channel for phishing attacks – the main difference is attribution,” said Chris Preece, head of cyber operations at digital risk management consultancy Protection. International Group.
“If a domain is registered with a host, they can respond to complaints and take down a website, but with reverse tunnels, the reverse tunnel provider has no responsibility for that, which means they are potentially harder to remove. Combine this with a URL shortener, it can be very effective.
“This is going to sound cliché, but the advice we have is to double down on phishing awareness to reduce the likelihood of someone clicking on a malicious link.”
YOU MIGHT ALSO LIKE Chinese cybercriminals widely exploit well-known attacks to infiltrate networks