How URL Tracking Systems Are Used for Phishing
Widely used URL tracking systems are often abused in phishing attacks. The domains used by these systems are generally known and trusted, making them attractive media for phishing URLs. To illustrate how it works, this article describes a recently observed phishing attack that uses the Google Ads tracking system to evade email filters.
How it works
Piggybacking on a domain is attractive to threat actors, not only because it increases the chances of passing spam filters, but also for ease of creation. By modifying an existing URL, the burden of setting up their own redirect is removed and they can take advantage of the infrastructure already in place to launch their campaign.
URL tracking systems use parameters to convey various information for the management of advertising campaigns. One of these parameters is usually the final URL that the ad service should redirect users to after clicking the follow link. For Google Ads, this is the
value with a phishing link, malicious actors can easily subvert a legitimate Google Ads tracking URL and use it in attacks.
To demonstrate this, we took a Google Ad tracking URL and changed the
value to our website:
In addition to googleadservices.com, a few other well-known domains that have been abused using this tactic include:
- Verizon wireless[.]com
Use in a real attack
The example below shows how this technique was used in a recently observed attack. In this attack, the perpetrator of the threat sends the victim a message wrongly indicating that an unauthorized party has accessed their PayPal account.
The victim is prompted to click Account Verification to go to what they believe to be a genuine PayPal login page.
Instead, the threat actor turned the legitimate Google advertising URL into a malicious redirect by placing its intended destination at the end of the URL. The redirect leads the victim to a fake PayPal login page where the victim must enter their account credentials.
hxxps: // www[.]googleadservices[.]com / pagead / ACLK? sa = L & I = CkKhSJ-GQX-GtNty3-gbqpKz4DMreicBelZHBz_EI273E7LIYEAEgho-AAmDpquGD3A2gAZKJ56MDyAEGqQIEfvn7VuTSPagDAaoEtgFP0N_rXMTqaIYdOFFNvymbCN7djmLuGBs0qPBsXkjhPzV5hSfNXCjT9MKcAek_3I_gUhRSRRw5kqSy-Z-rvVzk6BH9snxHTMjSWlffMREL6Vg1BOMpRI_HIW4N0dlKPCrZxpZYk7E5CsHO8VIEegpWEzujD4iY-x3ULGIaDnhorEuMJKWYduzWUiXwr4e3kO DOES crYZzgDhjzMn16eM_uLSms_-acHT_x2ePvQC0kGdErhQYHgW8AE4ufdrYkC-gUGCCUQARgAkAYBoAY3gAfBnZNJiAcBkAcCqAeOzhuoB5PYG6gHugaoB_DZG6gH8tkbqAemvhuoB-zVG6gH89EbqAfs1RuoB5bYG6gHwtob2AcAqAgBwAgB0ggGCAAQAhgCmglsaHR0cDovL3d3dy5ibGlibGkuY29tL3Avc2ltcGF0aS1ob2tpLWFuZ2thLWJlc2FyLW5vbW9yLWNhbnRpay0wODEzLTg3OS04OC03ODkta2FydHUtcGVyZGRhbmEvcGMtLU1UQS0zOTgxNzcxgAoTkAsDyAsF4AsBgAwB2BMOiBQBqBUBmBYB & num = 1 & cid = CAMSOQClSFh3vOahM8bRYdbJdZjUvyzYDCnd3ma2Z3c8W_feW32_0K9UZRerkcPtYpLOi2CWmMvE7wZSBA & sig = AOD64_2nQj0Aoq0pPYruNnWvFowNPjNSXw &
The highlighted section above is the malicious destination.
Why this method is preferred by criminals
The threat actor benefits from using this style of attack in several ways. First, they no longer have to configure their own redirect infrastructure. Instead, they can take advantage of the redirect infrastructure already created by tracking URL systems.
Second, the domains they send are more trustworthy and less likely to be blocked by spam filters before reaching users’ inboxes.
Finally, these tracking URLs expire after some time. Once that happens, clicking on the link results in a 404 response instead of redirecting to the phishing site. This can help limit exposure and reduce the risk of the phishing attack being detected after the fact, preventing victims from reporting malicious content.
This is not the first time that the URL tracking system used by Google Ads has been abused to enable phishing attacks. Threat actors have exploited the Google Ads infrastructure in the past, even using the ads themselves to distribute phishing content. The reappearance of this particular attack method using Google
suggests that these types of campaigns are effective and undemanding on the criminal. PhishLabs continues to monitor this tactic as it evolves.
*** This is a Security Bloggers Network syndicated blog from the PhishLabs blog written by Sean Bell. Read the original post at: https://info.phishlabs.com/blog/how-url-tracking-systems-are-abused-for-phishing