Attackers are switching backslashes in phishing email URLs to evade protections, researchers have now observed.
Researchers from GreatHorn report they have seen a nearly 6,000% jump in attacks using “malformed URL prefixes” to evade protections & deliver phishing emails that look legit. They look legit, that is, unless you look closely at the symbols used in the prefix before the URL.
“The URLs are malformed, not utilising the normal URL protocols, such as http:// or https://,” researchers stated in a blog post about their findings. “Instead, they use http:/\ in their URL prefix.”
The slashes in the address are largely superfluous, the GreatHorn report explained, so browsers & many scanners do not even look at them.
Typosquatting is a common phishing email tactic where everyday business names are mispelled, like “amozon.com” — to try & trick unobservant users into clicking. These days, researchers explained, most people know to look for these kinds of email scams, so threat players have had to evolve too.
Backslashes in URL Prefix
“The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected,” researchers suggested. “They may also slip past human eyes that aren’t accustomed to looking in the prefix for signs of suspicious activity.”
The researchers reported they 1st noticed this new tactic last Oct. & said that it has been quickly gaining momentum ever since — with attacks between Jan. & early Feb. spiking by 5,933%, they commented.
Malformed URL Attack
GreatHorn provided an example of a malformed URL phishing email with the address: “http:/\email@example.com”
The phishing email appears to be sent from a voicemail service; the researchers explained. The email contains a link to play the voice message “Play Audi Date.wav” which redirects to a malicious site, the team reported.
“The website even includes a reCAPTCHA, a common security feature of legitimate websites, showing the sophistication & subtlety of the attempted attack,” they explained.
Office Login Page
The next page looks like an Office login page & asks for a username & password, the report said. Once entered, the attackers have control of the account credentials.
Office 365 users were far more likely to experience this type of breach, the report added, at a “much higher rate than organisations running Google Workspace as their cloud email environment.”
The attackers using these malformed URLs have engaged in a variety of tactics to deliver their malware, including using a spoofed display name to impersonate the user’s company internal email system; avoiding scanners searching for “known bad” domains by sending from an address with no established relationship with the business; embedding a link in phishing emails which opens a redirector domain; & using language to give the user a sense of “urgency” in the message, the report explained.
URLs That Match the Threat Pattern
The report recommended “that security teams search their organisational email for messages containing URLs that match the threat pattern (http:/\) & remove any matches,” to keep their systems protected.
Kevin O’Brien, CEO & co-founder of GreatHorn, commented that these malformed URL attacks could be mitigated through 3rd-party solutions able to perform more nuanced analysis.
“There are a variety of API-native solutions that have come into the market in the last 5 years,” O’Brien outlined.
“Many of these solutions are designed to specifically address the kinds of threats that both legacy secure email gateways & platforms are incapable of analysing or identifying, providing robust remediation options, & highlighting to users when they’re about to go somewhere they don’t need to go to, such as what we saw in this attack.”
Email Phishing Scams
The report drops amid a particularly lucrative period for phishing scams. Proofpoint’s recent 2020 State of the Phish showed a 14% jump in US phishing attacks over the past year.
“Threat actors worldwide are continuing to target people with agile, relevant & sophisticated communications—most notably through the email channel, which remains the top threat vector,” Alan LeFort, Senior VP & General Manager of Security Awareness Training for Proofpoint observed.
“Ensuring users understand how to spot & report attempted cyber-attacks is undeniably business-critical, especially as users continue to work remotely — often in a less secured environment. While many organisations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”