threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/
Submission: On December 04 via manual from IN — Scanned from DE
Submission: On December 04 via manual from IN — Scanned from DE
Form analysis
3 forms found in the DOMPOST /malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
Text Content
Newsletter SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * * * * * * * I agree to my personal data being stored and used to receive the newsletter * * * I agree to accept information and occasional commercial offers from Threatpost partners * Comments This field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost * Cloud Security * Malware * Vulnerabilities * InfoSec Insiders * Webinars * * * * * * * Search * Mysterious Silver Sparrow Malware Found Nesting on 30K MacsPrevious article * Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11Next article MALFORMED URL PREFIX PHISHING ATTACKS SPIKE 6,000% Author: Becky Bracken February 19, 2021 4:06 pm 3 minute read Share this article: * * Sneaky attackers are flipping backslashes in phishing email URLs to evade protections, researchers said. Researchers from GreatHorn report they have observed a nearly 6,000-percent jump in attacks using “malformed URL prefixes” to evade protections and deliver phishing emails that look legit. They look legit, that is, unless you look closely at the symbols used in the prefix before the URL. “The URLs are malformed, not utilizing the normal URL protocols, such as http:// or https://,” researchers Click to Register said in a blog post about their findings. “Instead, they use http:/\ in their URL prefix.” The slashes in the address are largely superfluous, the GreatHorn report explained, so browsers and many scanners don’t even look at them. Typosquatting is a common phishing email tactic where everyday business names are mispelled, like “amozon.com” — to try and trick unobservant users into clicking. But these days, researchers explained, most people know to look for these kinds of email scams, so threat actors have had to evolve too. EMAIL PROTECTIONS IGNORE BACKSLASHES IN URL PREFIX “The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected,” researchers said. “They may also slip past human eyes that aren’t accustomed to looking in the prefix for signs of suspicious activity.” The researchers reported they first noticed this new tactic last October, and said that it has been quickly gaining momentum ever since — with attacks between January and early February spiking by 5,933 percent, they said. WHAT DOES A MALFORMED URL ATTACK LOOK LIKE? GreatHorn provided an example of a malformed URL phishing email with the address: “http:/\brent.johnson.australiasnationalskincheckday.org.au//exr/brent.johnson@impacteddomain.com” The phishing email appears to be sent from a voicemail service; the researchers explained. The email contains a link to play the voice message “Play Audi Date.wav” which redirects to a malicious site, the team reported. A phishing page with a ReCAPTCHA. Source: GreatHorn. “The website even includes a reCAPTCHA, a common security feature of legitimate websites, showing the sophistication and subtlety of the attempted attack,” they explained. The next page looks like an Office login page and asks for a username and password, the report said. Once entered, the attackers have control of the account credentials. Office 365 users were far more likely to experience this type of breach, the report added, at a “much higher rate than organizations running Google Workspace as their cloud email environment.” A fake Microsoft sign-in page. Source: GreatHorn. The attackers using these malformed URLs have engaged in a variety of tactics to deliver their malware, including using a spoofed display name to impersonate the user’s company internal email system; avoiding scanners searching for “known bad” domains by sending from an address with no established relationship with the business; embedding a link in phishing emails which opens a redirector domain; and using language to give the user a sense of “urgency” in the message, the report explained. The report recommended “that security teams search their organizational email for messages containing URLs that match the threat pattern (http:/\) and remove any matches,” to keep their systems protected. An example of an email with an “audio message” alert. Source: GreatHorn. Kevin O’Brien, CEO and co-founder of GreatHorn, told Threatpost that these malformed URL attacks could be mitigated through third-party solutions able to perform more nuanced analysis. “There are a variety of API-native solutions that have come into the market in the last five years,” O’Brien said. “Many of these solutions are designed to specifically address the kinds of threats that both legacy secure email gateways and platforms are incapable of analyzing or identifying, providing robust remediation options, and highlighting to users when they’re about to go somewhere they don’t need to go to, such as what we saw in this attack.” EMAIL PHISHING SCAMS MORE COMMON, MORE EXPENSIVE The report drops amid a particularly lucrative period for phishing scams. Proofpoint’s recent 2020 State of the Phish showed a 14 percent jump in U.S. phishing attacks over the past year. “Threat actors worldwide are continuing to target people with agile, relevant and sophisticated communications—most notably through the email channel, which remains the top threat vector,” Alan LeFort, senior vice president and general manager of Security Awareness Training for Proofpoint said. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely — often in a less secured environment. While many organizations say they are delivering security awareness training to their employees, our data shows most are not doing enough.” IS YOUR SMALL- TO MEDIUM-SIZED BUSINESS AN EASY MARK FOR ATTACKERS? Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24. Share this article: * Most Recent ThreatLists * Web Security SUGGESTED ARTICLES PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API Jason Kent, hacker-in-residence at Cequence, found a way to exploit a Toyota API to get around the hassle of car shopping in the age of supply-chain woes. December 3, 2021 OMICRON PHISHING SCAM ALREADY SPOTTED IN UK Omicron COVID-19 variant anxiety inspires new phishing scam offering fake NHS tests to steal data. December 3, 2021 WHAT ARE YOUR TOP CLOUD SECURITY CHALLENGES? THREATPOST POLL We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive poll! December 3, 2021 DISCUSSION INFOSEC INSIDER * PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API December 3, 2021 * HOW DECRYPTION OF NETWORK TRAFFIC CAN IMPROVE SECURITY November 30, 2021 3 * HOW TO DEFEND AGAINST MOBILE APP IMPERSONATION November 23, 2021 * ONLINE MERCHANTS: PREVENT FRAUDSTERS FROM BECOMING HOLIDAY GRINCHES November 22, 2021 * 3 TOP TOOLS FOR DEFENDING AGAINST PHISHING ATTACKS November 18, 2021 Newsletter SUBSCRIBE TO THREATPOST TODAY Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter What keeps #CloudComputing security practitioners up at night? We want to know! Weigh in on the biggest risks, chal… https://t.co/24oQHfESbM 16 hours ago Follow @threatpost NEXT 00:02 01:47 360p 720p HD 1080p HD Auto (360p) About Connatix V140482 Closed Captions About Connatix V140482 1/1 Skip Ad Continue watching after the ad Visit Advertiser website GO TO PAGE SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News * Home * About Us * Contact Us * Advertise With Us * RSS Feeds * Copyright © 2021 Threatpost * Privacy Policy * Terms and Conditions * Advertise * * * * * * * TOPICS * Black Hat * Breaking News * Cloud Security * Critical Infrastructure * Cryptography * Facebook * Government * Hacks * IoT * Malware * Mobile Security * Podcasts * Privacy * RSAC * Security Analyst Summit * Videos * Vulnerabilities * Web Security Threatpost * * * * * * * TOPICS * Cloud Security * Malware * Vulnerabilities * Privacy Show all * Black Hat * Critical Infrastructure * Cryptography * Facebook * Featured * Government * Hacks * IoT * Mobile Security * Podcasts * RSAC * Security Analyst Summit * Slideshow * Videos * Web Security AUTHORS * Tara Seals * Tom Spring * Lisa Vaas THREATPOST * Home * About Us * Contact Us * Advertise With Us * RSS Feeds Search * * * * * * * InfoSec Insider INFOSEC INSIDER POST Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored SPONSORED CONTENT Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information. ACCEPT AND CLOSE