Attackers Exploit URL Protections to Disguise Phishing Links

Cybercriminals are abusing legitimate URL protection services to disguise malicious phishing links, Barracuda researchers have revealed.

The firm observed phishing campaigns using three different URL protection services to mask phishing URLs and send victims to websites designed to harvest their credentials.

The researchers believe these campaigns have targeted hundreds of companies to date, if not more.

URL protection services are designed to protect users from visiting malicious websites via a phishing link. Whenever a URL is included in an email, the service will copy it, rewrite it, then embed the original URL within the rewritten one.

If the email recipient clicks on this “wrapped” link, an email security scan of the original URL is triggered. If the scan is clear, the user is redirected to the URL. If not, they are blocked from entering the original URL.

How URL Protection Services Are Exploited

In these novel attacks, threat actors gain entry to the URL protection service via compromised accounts, and leverage it to re-write their own phishing URLs, thereby concealing their malicious nature – essentially turning the service on itself.

This enables them to impersonate the account owners and infiltrate and examine their email communications as well as sending emails from the compromised account. This tactic is known as conversation hijacking.

In addition, threat actors will be able to determine whether a URL protection service is being used by analyzing links in emails connected to the account or in the user’s email signature.

To leverage the URL protection to rewrite their own phishing URLs, the researchers noted the attackers would either need to have access to internal systems to get the phishing URL rewritten, which is “exceedingly rare,” or more likely, send an outbound email to themselves using the compromised accounts, with the phishing link included in the message.

When delivering that message, the URL protection service installed by the user’s organization will rewrite the phishing URL using their own URL protection link. This allows the attacker to use that link to conceal malicious URLs in their subsequent phishing emails targeting that organization’s employees.

The researchers said that URL protection providers may not be able to validate whether the redirect URL being used by a specific customer is really being used by that customer or by an intruder who has taken over the account.

The leveraging of URL protection services could be either intentional or opportunistic, according to Barracuda.

Attackers Bypassing Common Security Controls

Barracuda noted that many traditional email security tools will be unable to detect these novel tactics, while the leveraging of trusted security brands are more likely to give users a false sense of safety and click on the malicious link.

The new research follows other observed ways threat actors are circumventing traditional security controls to enhance phishing campaigns.

These include the rising use of quishing attacks – phishing messages that use a QR code to direct targets to malicious websites rather than URLs. This approach increases the likelihood of a recipient using a personal device outside of an organization’s web or anti-virus protection to access the malicious website.

Another observed tactic is the leveraging the infrastructure of popular legitimate services to conduct phishing campaigns, thereby making it harder for security tools to distinguish malicious or benign emails from that service.