Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/5/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

URL Obfuscation: Still a Phisher's Phriend

There are three primary techniques to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects.

I was at a client's office the other day and the security team was discussing their latest round of spearphishing attacks: a PDF delivered in email with an embedded bit.ly link that appeared authentic but took users to a phony site. Luckily, the team was alerted and quickly got the word out to employees. But, as for blocking URL shortened links via email? Good luck! They’re quite useful and therefore still commonly used. Unfortunately, since URL-shortening services were put in place, scammers and crooks have been using them to conceal counterfeit websites. All technology is a two-edged sword, useful for both good and evil.

There are three primary techniques used to trick users into thinking a website link is real:

Trick #1: URL Shorteners

There are many URL shortening services like bit.ly, x.co, goo.gl, tiny.cc. These shortening web apps take a long complex URL line, such as https://f5.com/labs/articles/threat-intelligence/cyber-security/russian-hackers-face-to-face, and shrink it down to something more convenient and easily sharable, such as http://bit.ly/2wbw48P.

Shortened URLs are especially handy when using Twitter, which limits tweets to 140 characters, because some URLs would consume the entire message. They’re perfect for including in emails that solicit the user to click on a link that leads them to a malicious site (drive-by download, phishing site, scam). The text of the email message is often designed to fool the user into thinking the link is trustworthy since they see so many links come in this way. A common trick is to imitate an email from the IT department to get users to click on a link to change their password, which leads to a site that steals their password.

Some URL shortening services do basic testing and blocking of known malicious sites but, in general, they’re found to be far from perfect. URL shortening is still a very popular technique, used by both script kiddies as well as advanced persistant threats (APTs). A recent report on the Russian hacking and disinformation campaigns notes the use of the tiny.cc URL shortening service. If it works, why change tactics?

Trick #2 URL Doppelgangers

If you remember the Russian Hacker case I wrote about in June 2017, one of the techniques they used was an email ploy that looked like exactly like this:

Subject: PayPaI Cash Give-Away
From: Friend <CashGiveAway at PaypaI dot com>
Reply-To: cheapercommunications at yahoo dot com PayPaI
Congradulations You were chosen from over 30,000 contestants for our
$500.00 cash give-away from PayPaI. If you are already a member simply click
the link below to Accept the Cash Give-Away. Even if you are not a PayPaI member
you can sign-up for Free, and still accept the $500.00 Cash Give-Away today!
Amount: $500.00
Note: Enter Your Info Below To Accept.
To Process: Click link below or copy and paste into browser window.
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew

Notice how, in the email font shown, "paypal" appears to end with a lowercase "l", but it’s actually an uppercase "I".

This difference is obvious when we look at that last line in a different font:

That’s a trick for creating deceptive URLs that goes back decades. In this case, the site "Paypai.com" was being hosted by a server in Moscow and was collecting PayPal logins to be used in credit card laundering.

Another way to create a misleading URL is to use homographs, which leverage Punycode2 encoding to falsify the name. F5 Labs recently featured a detailed story on homograph attacks and how they’re pulled off.

Trick #3: URL Redirects

The last common URL obfuscation technique involves bouncing off a web application vulnerability in a legitimate site. Many sites provide the capability to do URL redirects or forwards. For example, perhaps you’re on an investment site and at some point, your session gets automatically transferred to a bank site. The investment website itself is using web application tools to perform the redirect, which often can look like:

http://investingsite.com/redirect.php?url=http://nicebanksite.com

A phisher could then hijack this mechanism to redirect users to a fake site. However, an untrained user might only notice the start of the URL, which shows the real site (which is redirecting). Furthermore, the phisher could combine techniques, adding URL shortening to further mask the final destination, like so:

http://investingsite.com/redirect.php?url= http://bitly.com/98K8eH

Make sure your organization’s websites aren’t susceptible to these kinds of external URL redirects. You don’t want to be a hacker’s tool that is unwittingly participating in someone else’s scheme. Worse, you don’t want your own customers and users to be lured away from your site to booby-trapped imitation sites.

This particular problem used to part of the OWASP Top 10 web vulnerabilities called Unvalidated Redirects and Forwards and is often tested for as part of a web application vulnerability test. This vulnerability can also be a lot more subtle, buried in app functions that aren’t apparent in a normal web session, but still found and exploited.

As always, making your users aware of these attack methods can go a long way towards helping them spot phishes and scams. Having a quick and easy way for users to report these kinds of attacks, coupled with a rapid response gives you the ability to block and warn everyone else on specific attacks. It’s also a good idea to look at a multi-layered defense, including several layers of web and mail filtering, as well as strong authentication since login credentials are often what are stolen in these attacks. Lastly, make sure you’re not part of the problem by testing your own websites for unvalidated URL redirection vulnerabilities.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...