Evasive phishing mixes reverse tunnels and URL shortening services

Security researchers are seeing an increase in the use of reverse tunnel services as well as URL shorteners for large-scale phishing campaigns, making malicious activity harder to stop.

This practice is a departure from the more common method of registering domains with hosting providers, who are likely to respond to complaints and take down phishing sites.

With reverse tunnels, hackers can host phishing pages locally on their own computers and route connections through the external service. By using a URL shortening service, they can generate new links as often as they want to bypass detection.

Many phishing links refresh in less than 24 hours, which makes tracking and removing domains more difficult.

Abuse of service

Digital risk protection firm CloudSEK has seen an increase in the number of phishing campaigns that combine reverse tunneling and URL shortening services.

In a report shared by the company with BleepingComputer, researchers claim to have found more than 500 sites hosted and distributed in this way.

The most widely abused reverse tunnel services that CloudSEK found in their research are Ngrok, LocalhostRun, and Cloudflare’s Argo. They also found that URL shortening services Bit.ly, is.gd and cutt.ly were more prevalent.

Reverse tunnel services protect the site from phishing by managing all connections to the local server it is hosted on. This way, any incoming connection is resolved by the tunnel service and forwarded to the local machine.

The modus operandi of phishing actors
The modus operandi of phishing actors (CloudSEK)

Victims who interact with these phishing sites end up storing their sensitive data directly on the attacker’s computer.

By using URL shorteners, the threat actor hides the URL name, which is usually a string of random characters, CloudSEK explains. Thus, a domain name that would arouse suspicion is hidden in a short URL.

According to CloudSEK, adversaries distribute these links via popular communication channels such as WhatsApp, Telegram, emails, text messages or fake social media pages.

It should be noted that the misuse of these services is not new. For example, Cyble presented Ngrok abuse evidence in February 2021. However, according to CloudSEK’s findings, the problem is getting worse.

Cases detected

An example of a phishing campaign abusing these services that CloudSEK detected was the impersonation of YONO, a digital banking platform offered by the State Bank of India.

Locally hosted YONO phishing site
Locally hosted YONO phishing site (CloudSEK)

The URL set by the attacker was hidden behind “cutt[.]ly/UdbpGhs” and led to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” which used Cloudflare’s Argo tunneling service.

This phishing page asked for bank account credentials, PAN card numbers, Aadhaar unique ID numbers and mobile phone numbers.

CloudSEK did not share the effectiveness of this campaign, but points out that threat actors rarely use the same domain name for more than 24 hours, despite recycling phishing page templates.

“Even if a URL is flagged or blocked, hackers can easily host another page, using the same pattern” – CloudSEK

Sensitive information collected this way can be sold on the dark web or used by attackers to drain bank accounts. If the data comes from a company, the threat actor could use it to launch ransomware attacks or Business Email Compromise (BEC) fraud.

To protect against this type of threat, users must avoid clicking on links from unknown or suspicious sources. Manually typing a bank’s domain name into the browser is a good method to avoid being exposed to a fake website.

Comments are closed.