Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/5/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

URL Obfuscation: Still a Phisher's Phriend

There are three primary techniques to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects.

I was at a client's office the other day and the security team was discussing their latest round of spearphishing attacks: a PDF delivered in email with an embedded bit.ly link that appeared authentic but took users to a phony site. Luckily, the team was alerted and quickly got the word out to employees. But, as for blocking URL shortened links via email? Good luck! They’re quite useful and therefore still commonly used. Unfortunately, since URL-shortening services were put in place, scammers and crooks have been using them to conceal counterfeit websites. All technology is a two-edged sword, useful for both good and evil.

There are three primary techniques used to trick users into thinking a website link is real:

Trick #1: URL Shorteners

There are many URL shortening services like bit.ly, x.co, goo.gl, tiny.cc. These shortening web apps take a long complex URL line, such as https://f5.com/labs/articles/threat-intelligence/cyber-security/russian-hackers-face-to-face, and shrink it down to something more convenient and easily sharable, such as http://bit.ly/2wbw48P.

Shortened URLs are especially handy when using Twitter, which limits tweets to 140 characters, because some URLs would consume the entire message. They’re perfect for including in emails that solicit the user to click on a link that leads them to a malicious site (drive-by download, phishing site, scam). The text of the email message is often designed to fool the user into thinking the link is trustworthy since they see so many links come in this way. A common trick is to imitate an email from the IT department to get users to click on a link to change their password, which leads to a site that steals their password.

Some URL shortening services do basic testing and blocking of known malicious sites but, in general, they’re found to be far from perfect. URL shortening is still a very popular technique, used by both script kiddies as well as advanced persistant threats (APTs). A recent report on the Russian hacking and disinformation campaigns notes the use of the tiny.cc URL shortening service. If it works, why change tactics?

Trick #2 URL Doppelgangers

If you remember the Russian Hacker case I wrote about in June 2017, one of the techniques they used was an email ploy that looked like exactly like this:

Subject: PayPaI Cash Give-Away
From: Friend <CashGiveAway at PaypaI dot com>
Reply-To: cheapercommunications at yahoo dot com PayPaI
Congradulations You were chosen from over 30,000 contestants for our
$500.00 cash give-away from PayPaI. If you are already a member simply click
the link below to Accept the Cash Give-Away. Even if you are not a PayPaI member
you can sign-up for Free, and still accept the $500.00 Cash Give-Away today!
Amount: $500.00
Note: Enter Your Info Below To Accept.
To Process: Click link below or copy and paste into browser window.
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew

Notice how, in the email font shown, "paypal" appears to end with a lowercase "l", but it’s actually an uppercase "I".

This difference is obvious when we look at that last line in a different font:

That’s a trick for creating deceptive URLs that goes back decades. In this case, the site "Paypai.com" was being hosted by a server in Moscow and was collecting PayPal logins to be used in credit card laundering.

Another way to create a misleading URL is to use homographs, which leverage Punycode2 encoding to falsify the name. F5 Labs recently featured a detailed story on homograph attacks and how they’re pulled off.

Trick #3: URL Redirects

The last common URL obfuscation technique involves bouncing off a web application vulnerability in a legitimate site. Many sites provide the capability to do URL redirects or forwards. For example, perhaps you’re on an investment site and at some point, your session gets automatically transferred to a bank site. The investment website itself is using web application tools to perform the redirect, which often can look like:

http://investingsite.com/redirect.php?url=http://nicebanksite.com

A phisher could then hijack this mechanism to redirect users to a fake site. However, an untrained user might only notice the start of the URL, which shows the real site (which is redirecting). Furthermore, the phisher could combine techniques, adding URL shortening to further mask the final destination, like so:

http://investingsite.com/redirect.php?url= http://bitly.com/98K8eH

Make sure your organization’s websites aren’t susceptible to these kinds of external URL redirects. You don’t want to be a hacker’s tool that is unwittingly participating in someone else’s scheme. Worse, you don’t want your own customers and users to be lured away from your site to booby-trapped imitation sites.

This particular problem used to part of the OWASP Top 10 web vulnerabilities called Unvalidated Redirects and Forwards and is often tested for as part of a web application vulnerability test. This vulnerability can also be a lot more subtle, buried in app functions that aren’t apparent in a normal web session, but still found and exploited.

As always, making your users aware of these attack methods can go a long way towards helping them spot phishes and scams. Having a quick and easy way for users to report these kinds of attacks, coupled with a rapid response gives you the ability to block and warn everyone else on specific attacks. It’s also a good idea to look at a multi-layered defense, including several layers of web and mail filtering, as well as strong authentication since login credentials are often what are stolen in these attacks. Lastly, make sure you’re not part of the problem by testing your own websites for unvalidated URL redirection vulnerabilities.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 &amp; 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.