Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/5/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

URL Obfuscation: Still a Phisher's Phriend

There are three primary techniques to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects.

I was at a client's office the other day and the security team was discussing their latest round of spearphishing attacks: a PDF delivered in email with an embedded bit.ly link that appeared authentic but took users to a phony site. Luckily, the team was alerted and quickly got the word out to employees. But, as for blocking URL shortened links via email? Good luck! They’re quite useful and therefore still commonly used. Unfortunately, since URL-shortening services were put in place, scammers and crooks have been using them to conceal counterfeit websites. All technology is a two-edged sword, useful for both good and evil.

There are three primary techniques used to trick users into thinking a website link is real:

Trick #1: URL Shorteners

There are many URL shortening services like bit.ly, x.co, goo.gl, tiny.cc. These shortening web apps take a long complex URL line, such as https://f5.com/labs/articles/threat-intelligence/cyber-security/russian-hackers-face-to-face, and shrink it down to something more convenient and easily sharable, such as http://bit.ly/2wbw48P.

Shortened URLs are especially handy when using Twitter, which limits tweets to 140 characters, because some URLs would consume the entire message. They’re perfect for including in emails that solicit the user to click on a link that leads them to a malicious site (drive-by download, phishing site, scam). The text of the email message is often designed to fool the user into thinking the link is trustworthy since they see so many links come in this way. A common trick is to imitate an email from the IT department to get users to click on a link to change their password, which leads to a site that steals their password.

Some URL shortening services do basic testing and blocking of known malicious sites but, in general, they’re found to be far from perfect. URL shortening is still a very popular technique, used by both script kiddies as well as advanced persistant threats (APTs). A recent report on the Russian hacking and disinformation campaigns notes the use of the tiny.cc URL shortening service. If it works, why change tactics?

Trick #2 URL Doppelgangers

If you remember the Russian Hacker case I wrote about in June 2017, one of the techniques they used was an email ploy that looked like exactly like this:

Subject: PayPaI Cash Give-Away
From: Friend <CashGiveAway at PaypaI dot com>
Reply-To: cheapercommunications at yahoo dot com PayPaI
Congradulations You were chosen from over 30,000 contestants for our
$500.00 cash give-away from PayPaI. If you are already a member simply click
the link below to Accept the Cash Give-Away. Even if you are not a PayPaI member
you can sign-up for Free, and still accept the $500.00 Cash Give-Away today!
Amount: $500.00
Note: Enter Your Info Below To Accept.
To Process: Click link below or copy and paste into browser window.
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew

Notice how, in the email font shown, "paypal" appears to end with a lowercase "l", but it’s actually an uppercase "I".

This difference is obvious when we look at that last line in a different font:

That’s a trick for creating deceptive URLs that goes back decades. In this case, the site "Paypai.com" was being hosted by a server in Moscow and was collecting PayPal logins to be used in credit card laundering.

Another way to create a misleading URL is to use homographs, which leverage Punycode2 encoding to falsify the name. F5 Labs recently featured a detailed story on homograph attacks and how they’re pulled off.

Trick #3: URL Redirects

The last common URL obfuscation technique involves bouncing off a web application vulnerability in a legitimate site. Many sites provide the capability to do URL redirects or forwards. For example, perhaps you’re on an investment site and at some point, your session gets automatically transferred to a bank site. The investment website itself is using web application tools to perform the redirect, which often can look like:

http://investingsite.com/redirect.php?url=http://nicebanksite.com

A phisher could then hijack this mechanism to redirect users to a fake site. However, an untrained user might only notice the start of the URL, which shows the real site (which is redirecting). Furthermore, the phisher could combine techniques, adding URL shortening to further mask the final destination, like so:

http://investingsite.com/redirect.php?url= http://bitly.com/98K8eH

Make sure your organization’s websites aren’t susceptible to these kinds of external URL redirects. You don’t want to be a hacker’s tool that is unwittingly participating in someone else’s scheme. Worse, you don’t want your own customers and users to be lured away from your site to booby-trapped imitation sites.

This particular problem used to part of the OWASP Top 10 web vulnerabilities called Unvalidated Redirects and Forwards and is often tested for as part of a web application vulnerability test. This vulnerability can also be a lot more subtle, buried in app functions that aren’t apparent in a normal web session, but still found and exploited.

As always, making your users aware of these attack methods can go a long way towards helping them spot phishes and scams. Having a quick and easy way for users to report these kinds of attacks, coupled with a rapid response gives you the ability to block and warn everyone else on specific attacks. It’s also a good idea to look at a multi-layered defense, including several layers of web and mail filtering, as well as strong authentication since login credentials are often what are stolen in these attacks. Lastly, make sure you’re not part of the problem by testing your own websites for unvalidated URL redirection vulnerabilities.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.