New Malformed URL Phishing Technique May Make Attacks More Difficult to Spot

Hackers now send messages that hide bogus links in the HTTP prefix, bypassing mail filters, says security firm GreatHorn.

Getty Images / iStockphoto

Email security company GreatHorn warns of a new form of phishing attack that makes malicious messages more likely to pass through filters and harder to detect on sight for the average person. By hiding phishing information in URL prefixes, attackers can send what looks like a link to a legitimate website, free of spelling mistakes and all, with a malicious address hidden in the link prefix.

Email scanning programs, GreatHorn said in a blog post, are not configured to detect these types of attacks because they do not meet known bad criteria. These attacks were first detected by GreatHorn in October 2020 and quickly became a serious threat: between the first week of January 2021 and early February 2021, the volume of attacks using malformed URL prefixes increased by 5 933%.

Prefixes are a fundamental part of URLs and encompass the web protocol the link will be used to connect to, such as HTTP, HTTPS, FTP, and others. Typically, a prefix ends with a colon and two forward slashes (for example, http: //). In the case of this new trick, attackers remove the second slash in favor of a backslash (for example, http: / ), then insert a malicious URL into the prefix before inserting the legitimate domain name. , which is treated as additional subdirectories of the malicious page, perfect for creating a phishing website.

SEE: Identity Theft Protection Policy (TechRepublic Premium)

“Browsers are forgiving and assume you want to do ‘//’ when you accidentally type ‘/ ‘, so they ‘fix’ it for you and automatically convert it to http: // which takes you to the destination,” a said GreatHorn CEO Kevin O’Brien.

“Cybercriminals can send malicious links in emails to an inbox, and when someone clicks or pastes it, even if it is malformed to specification, the browser will take you there right away. way, ”O’Brien said.

GreatHorn said it has detected these types of malformed URL attacks in all kinds of organizations, but pharmaceuticals, loans, contract and construction management and telecommunications have been hit the hardest. Additionally, organizations running Office 365 were targeted more frequently.

The attack began in October with phishing attempts mimicking voicemail messages delivered by email, a common and effective tactic for several years. Since then, GreatHorn said, the malformed URL prefix attack has started using new tactics, such as:

  • Spoofing display names to trick users into believing the email is internal,
  • Use unknown domains and senders to trick filters that search for known actors,
  • Payloads containing links using open redirect domains,
  • Urgent messages intended to trick users into making a mistake.

An example of a phishing email link included in the blog post shows how a fake voicemail email tricks users into handing over their Microsoft account credentials, with fake reCAPTCHA tests and auto-populated email addresses to give the site more credibility.

SEE: Social Engineering: Checklist for Professionals (Free PDF) (TechRepublic)

Although this new attack is tricky and difficult for users to detect, GreatHorn said there is a relatively simple solution: set email filtering to search for “http: / ” and remove all matches. While this can lead to false positives if someone makes a typo, an occasional mistake is worth sending back a message when their individual and organizational safety is at stake.

Also look

Comments are closed.