I was at a client's office the other day and the security team was discussing their latest round of spear-phishing attacks: A PDF delivered in email with an embedded bit.ly link that appeared authentic but took users to a phony site. Luckily, the team was alerted and quickly got the word out to employees. But, as for blocking URL shortened links via email? Good luck; they’re quite useful and therefore still commonly used. Unfortunately, since URL shortening services were put in place, scammers and crooks have been using them to conceal counterfeit websites. All technology is a two-edged sword, useful for both good and evil.
There are three primary techniques used to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects.
URL Shorteners
There are many URL shortening services like bit.ly, x.co, goo.gl, tiny.cc. These shortening web apps take a long complex URL line, such as “https://f5.com/labs/articles/threat-intelligence/cyber-security/russian-hackers-face-to-face”, and shrink it down to something more convenient and easily sharable, such as “http://bit.ly/2wbw48P”.
Shortened URLs are especially handy when using Twitter, which limits tweets to 140 characters, because some URLs would consume the entire message. They’re perfect for including in emails that solicit the user to click on a link that leads them to a malicious site (drive-by download, phishing site, scam). The text of the email message is often designed to fool the user into thinking the link is trustworthy since they see so many links come in this way. A common trick is to imitate an email from the IT department to get users to click on a link to change their password, which leads to a site that steals their password.
Some URL shortening services do basic testing and blocking of known malicious sites but, in general, they’re found to be far from perfect.1 URL shortening is still a very popular technique, used by both script kiddies as well as APTs. A recent report on the Russian hacking and disinformation campaigns notes the use of the tiny.cc URL shortening service.2 If it works, why change tactics?
URL Doppelgangers
If you remember the Russian Hacker case I wrote about in June 2017, one of the techniques they used was an email ploy that looked like exactly like this:
Subject: PayPaI Cash Give-Away
From: Friend <CashGiveAway at PaypaI dot com>
Reply-To: cheapercommunications at yahoo dot com PayPaI
Congradulations You were chosen from over 30,000 contestants for our
$500.00 cash give-away from PayPaI. If you are already a member simply click
the link below to Accept the Cash Give-Away. Even if you are not a PayPaI member
you can sign-up for Free, and still accept the $500.00 Cash Give-Away today!
Amount: $500.00
Note: Enter Your Info Below To Accept.
To Process: Click link below or copy and paste into browser window.
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew
Notice how, in the email font shown, “paypal” appears to end with a lowercase “l”, but it’s actually an uppercase “I”.
This difference is obvious when we look at that last line in a different font:
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew
That’s a trick for creating deceptive URLs that goes back decades. In this case, the site Paypai.com was being hosted by a server in Moscow and was collecting PayPal logins to be used in credit card laundering.
Another way to create a misleading URL is to use homographs, which leverage Punycode2 encoding to falsify the name. F5 Labs recently featured a detailed story on homograph attacks and how they’re pulled off.
URL Redirects
The last common URL obfuscation technique involves bouncing off a web application vulnerability in a legitimate site. Many sites provide the capability to do URL redirects or forwards. For example, perhaps you’re on an investment site and at some point, your session gets automatically transferred to a bank site. The investment website itself is using web application tools to perform the redirect, which often can look like:
http://investingsite.com/redirect.php?url=http://nicebanksite.com
A phisher could then hijack this mechanism to redirect users to a fake site. However, an untrained user might only notice the start of the URL, which shows the real site (which is redirecting). Furthermore, the phisher could combine techniques, adding URL shortening to further mask the final destination, like so:
http://investingsite.com/redirect.php?url= http://bitly.com/98K8eH
Make sure your organization’s websites aren’t susceptible to these kinds of external URL redirects. You don’t want to be a hacker’s tool that is unwittingly participating in someone else’s scheme. Worse, you don’t want your own customers and users to be lured away from your site to booby-trapped imitation sites. This particular problem used to part of the OWASP Top 10 web vulnerabilities called Unvalidated Redirects and Forwards3 and is often tested for as part of a web application vulnerability test. This vulnerability can also be a lot more subtle, buried in app functions that aren’t apparent in a normal web session but still found and exploited.
Conclusion
As always, making your users aware of these attack methods can go a long way towards helping them spot phishes and scams. Having a quick and easy way for users to report these kinds of attacks coupled with a rapid response gives you the ability to block and warn everyone else on specific attacks. It’s also a good idea to look at a multi-layered defense, including several layers of web and mail filtering as well as strong authentication since login credentials are often what are stolen in these attacks. Lastly, make sure you’re not part of the problem by testing your websites for unvalidated URL redirection vulnerabilities.