Hackers are now sending messages that hide fake links in the HTTP prefix, bypassing email filters, says security firm GreatHorn.
Email security company GreatHorn warns against a new form of phishing attack This makes malicious messages more likely to slip through filters and more difficult for the average person to detect visually. By hiding phishing information in URL prefixes, attackers can send what looks like a link to a legitimate website, with no misspellings and all, with a malicious address hidden in the link prefix.
Email scanners, GreatHorn said in a blog post, aren’t set up to detect these types of attacks because they don’t match the known bad criteria. These attacks were first detected by GreatHorn in October 2020 and quickly became a serious threat: between the first week of January 2021 and early February 2021, the volume of attacks using malformed URL prefixes increased by 5 933%.
Prefixes are a fundamental part of URLs and encompass the web protocol the link will be used to connect to, such as HTTP, HTTPS, FTP and others. Typically, a prefix ends with a colon and two slashes (for example, http://). In the case of this new trick, attackers remove the second slash in favor of a backslash (e.g. http:/), then insert a malicious URL in the prefix before putting the legitimate domain name, which is treated as additional subdirectories of the malicious page, perfect for creating a phishing website.
TO SEE: Identity Theft Protection Policy (TechRepublic Premium)
“Browsers are forgiving and assume you meant to do ‘//’ when you accidentally type ‘/’ , so they ‘fix’ it for you and automatically convert it to http:// which takes you to the destination,” said said GreatHorn. CEO Kevin O’Brien.
“Cybercriminals can land malicious links in emails in an inbox, and when someone clicks or pastes them, even if it’s malformed to specification, the browser takes you there anyway. way,” O’Brien said.
GreatHorn said it detected these types of malformed URL attacks in all kinds of organizations, but pharmaceuticals, loans, contract and construction management, and telecommunications were the hardest hit. Additionally, organizations running Office 365 were targeted more frequently.
The attack began in October with phishing attempts mimicking voicemail messages sent over email, a common and effective tactic for several years. Since then, GreatHorn said, the malformed URL prefix attack began using new tactics, such as:
- Spoof display names to trick users into thinking the email is internal,
- Use unknown domains and senders to fool filters that look for known bad actors,
- Payloads containing links using open redirect domains,
- Urgent messages intended to prompt users to rush into an error.
A sample phishing email link included in the blog post shows how a fake voicemail email tricks users into handing over their Microsoft account credentials, complete with fake reCAPTCHA tests and addresses e-mail filled automatically to give more credibility to the site.
TO SEE: Social engineering: checklist for professionals (free PDF) (TechRepublic)
Although this new attack is tricky and difficult for users to detect, GreatHorn said there is a relatively simple solution: set email filtering to search for “http:/” and remove all matches. While this can lead to false positives if someone mistypes, the occasional mistake is worth resending when their individual and organizational safety is at stake.