Researchers from GreatHorn report they have observed a nearly 6,000-percent jump in attacks using “malformed URL prefixes” to evade protections and deliver phishing emails that look legit. They look legit, that is, unless you look closely at the symbols used in the prefix before the URL.
“The URLs are malformed, not utilizing the normal URL protocols, such as http:// or https://,” researchers
said in a blog post about their findings. “Instead, they use http:/\ in their URL prefix.”
The slashes in the address are largely superfluous, the GreatHorn report explained, so browsers and many scanners don’t even look at them.
Typosquatting is a common phishing email tactic where everyday business names are mispelled, like “amozon.com” — to try and trick unobservant users into clicking. But these days, researchers explained, most people know to look for these kinds of email scams, so threat actors have had to evolve too.
Email Protections Ignore Backslashes in URL Prefix
“The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected,” researchers said. “They may also slip past human eyes that aren’t accustomed to looking in the prefix for signs of suspicious activity.”
The researchers reported they first noticed this new tactic last October, and said that it has been quickly gaining momentum ever since — with attacks between January and early February spiking by 5,933 percent, they said.
What Does a Malformed URL Attack Look Like?
GreatHorn provided an example of a malformed URL phishing email with the address: “http:/\firstname.lastname@example.org”
The phishing email appears to be sent from a voicemail service; the researchers explained. The email contains a link to play the voice message “Play Audi Date.wav” which redirects to a malicious site, the team reported.
“The website even includes a reCAPTCHA, a common security feature of legitimate websites, showing the sophistication and subtlety of the attempted attack,” they explained.
The next page looks like an Office login page and asks for a username and password, the report said. Once entered, the attackers have control of the account credentials.
Office 365 users were far more likely to experience this type of breach, the report added, at a “much higher rate than organizations running Google Workspace as their cloud email environment.”
The attackers using these malformed URLs have engaged in a variety of tactics to deliver their malware, including using a spoofed display name to impersonate the user’s company internal email system; avoiding scanners searching for “known bad” domains by sending from an address with no established relationship with the business; embedding a link in phishing emails which opens a redirector domain; and using language to give the user a sense of “urgency” in the message, the report explained.
The report recommended “that security teams search their organizational email for messages containing URLs that match the threat pattern (http:/\) and remove any matches,” to keep their systems protected.
Kevin O’Brien, CEO and co-founder of GreatHorn, told Threatpost that these malformed URL attacks could be mitigated through third-party solutions able to perform more nuanced analysis.
“There are a variety of API-native solutions that have come into the market in the last five years,” O’Brien said. “Many of these solutions are designed to specifically address the kinds of threats that both legacy secure email gateways and platforms are incapable of analyzing or identifying, providing robust remediation options, and highlighting to users when they’re about to go somewhere they don’t need to go to, such as what we saw in this attack.”
Email Phishing Scams More Common, More Expensive
The report drops amid a particularly lucrative period for phishing scams. Proofpoint’s recent 2020 State of the Phish showed a 14 percent jump in U.S. phishing attacks over the past year.
“Threat actors worldwide are continuing to target people with agile, relevant and sophisticated communications—most notably through the email channel, which remains the top threat vector,” Alan LeFort, senior vice president and general manager of Security Awareness Training for Proofpoint said. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely — often in a less secured environment. While many organizations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.