New Phishing Campaign Uses URLs Containing Almost 1,000 Characters
An ongoing phishing campaign is currently targeting users with links that in some cases contain almost 1,000 characters.
The campaign begins with an attack email informing the recipient that their email account has been blacklisted due to a 鈥渟ubsequent verification failure鈥 involving their mail network server. The email goes on to explain that the recipient will lose access to their email account unless they go through the proper verification channels. This involves clicking on a 鈥淐onfirm Your Email鈥 link contained within the message of the attack email.
Clicking on the link redirects the user to a landing page with a customized login form, per their email account鈥檚 domain. These pages are unique, however, in that their URLs are unusually long, non-sensical strings consisting of repeated letters and numbers. Derek from聽聽observed that the shortest link was 400 characters in length, for example. Meanwhile, the longest URL he spotted was just shy of 1,000 characters.
Lawrence Abrams, creator and owner of聽, thinks that digital attackers could be creating such long URLs in 鈥渁n effort to obfuscate the intent or to hide information in them.鈥
If that鈥檚 the case, creating 1,000-character URLs represents just the latest tactic by which fraudsters are known to disguise their phishing links. They鈥檝e used plenty of other techniques in the past. For instance,聽聽reported on an attack back in June 2017 where bad actors used a technique known as 鈥淯RL padding鈥 to disguise their phishing links. Specifically, they inserted enough hyphens into the subdomains for their phishing landing pages that they were able to conceal their attacks鈥 true domains.
Digital attackers didn鈥檛 stop there, however. In other campaigns, they鈥檝e used Unicode domains that go beyond conventional ASCII characters found in most web domains to trick users into visiting lookalike domains. Security researcher Xudong Zheng聽聽this use of Unicode domains for conducting phishing attacks by registering the domain 鈥渪n鈥損ple-43d.com.鈥 This domain鈥檚 appearance is equivalent to 鈥渁pple.com,鈥 but its actual destination is different than the legitimate Apple domain in that it uses a Cyrillic 鈥溞扳 (U+0430) rather than the ASCII 鈥渁鈥 (U+0061).
In contrast to making excessively long links, phishers have also gone the complete opposite direction by using聽聽to disguise their attacks. These services, such as bit.ly and goo.gl, don鈥檛 just conceal the display name of the shortened URL. They also prevent security conscientious users from discovering the true destination of a URL when they hover over it. Bad actors have capitalized on this behavior to target Yahoo!, Gmail and other email providers in an attempt to steal information from unsuspecting recipients, as uncovered by聽.
Taken together, the tactics described above reveal how digital attackers are constantly innovating new ways through which they can prey upon users. Organizations can help defend against these creative campaigns by educating employees to be on the lookout for suspicious emails that warn them how they鈥檙e about to lose access to their email accounts. They can also emphasize the importance of verifying a URL included within an email before they click on it.聽聽
But organizations also need to account for when their employees miss these warning signs, especially as digital attackers continue to come up with new campaigns. Towards that end, they should employ an email security solution that analyzes emails not just for URLs but also for their IP addresses, phrases, patterns, behavior and malware signatures. This tool should provide real-time protection in that it should dynamically filter out potential threats while keeping the right emails flowing to their intended destination.
.