threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/
Submission: On December 04 via manual from IN — Scanned from DE
Submission: On December 04 via manual from IN — Scanned from DE
Form analysis 3 forms found in the DOM
POST /malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Mysterious Silver Sparrow Malware Found Nesting on 30K MacsPrevious article
* Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11Next
article
MALFORMED URL PREFIX PHISHING ATTACKS SPIKE 6,000%
Author: Becky Bracken
February 19, 2021 4:06 pm
3 minute read
Share this article:
*
*
Sneaky attackers are flipping backslashes in phishing email URLs to evade
protections, researchers said.
Researchers from GreatHorn report they have observed a nearly 6,000-percent jump
in attacks using “malformed URL prefixes” to evade protections and deliver
phishing emails that look legit. They look legit, that is, unless you look
closely at the symbols used in the prefix before the URL.
“The URLs are malformed, not utilizing the normal URL protocols, such as http://
or https://,” researchers
Click to Register
said in a blog post about their findings. “Instead, they use http:/\ in their
URL prefix.”
The slashes in the address are largely superfluous, the GreatHorn report
explained, so browsers and many scanners don’t even look at them.
Typosquatting is a common phishing email tactic where everyday business names
are mispelled, like “amozon.com” — to try and trick unobservant users into
clicking. But these days, researchers explained, most people know to look for
these kinds of email scams, so threat actors have had to evolve too.
EMAIL PROTECTIONS IGNORE BACKSLASHES IN URL PREFIX
“The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning
programs, allowing them to slip through undetected,” researchers said. “They may
also slip past human eyes that aren’t accustomed to looking in the prefix for
signs of suspicious activity.”
The researchers reported they first noticed this new tactic last October, and
said that it has been quickly gaining momentum ever since — with attacks between
January and early February spiking by 5,933 percent, they said.
WHAT DOES A MALFORMED URL ATTACK LOOK LIKE?
GreatHorn provided an example of a malformed URL phishing email with the
address:
“http:/\brent.johnson.australiasnationalskincheckday.org.au//exr/brent.johnson@impacteddomain.com”
The phishing email appears to be sent from a voicemail service; the researchers
explained. The email contains a link to play the voice message “Play Audi
Date.wav” which redirects to a malicious site, the team reported.
A phishing page with a ReCAPTCHA. Source: GreatHorn.
“The website even includes a reCAPTCHA, a common security feature of legitimate
websites, showing the sophistication and subtlety of the attempted attack,” they
explained.
The next page looks like an Office login page and asks for a username and
password, the report said. Once entered, the attackers have control of the
account credentials.
Office 365 users were far more likely to experience this type of breach, the
report added, at a “much higher rate than organizations running Google Workspace
as their cloud email environment.”
A fake Microsoft sign-in page. Source: GreatHorn.
The attackers using these malformed URLs have engaged in a variety of tactics to
deliver their malware, including using a spoofed display name to impersonate the
user’s company internal email system; avoiding scanners searching for “known
bad” domains by sending from an address with no established relationship with
the business; embedding a link in phishing emails which opens a redirector
domain; and using language to give the user a sense of “urgency” in the message,
the report explained.
The report recommended “that security teams search their organizational email
for messages containing URLs that match the threat pattern (http:/\) and remove
any matches,” to keep their systems protected.
An example of an email with an “audio message” alert. Source: GreatHorn.
Kevin O’Brien, CEO and co-founder of GreatHorn, told Threatpost that these
malformed URL attacks could be mitigated through third-party solutions able to
perform more nuanced analysis.
“There are a variety of API-native solutions that have come into the market in
the last five years,” O’Brien said. “Many of these solutions are designed to
specifically address the kinds of threats that both legacy secure email gateways
and platforms are incapable of analyzing or identifying, providing robust
remediation options, and highlighting to users when they’re about to go
somewhere they don’t need to go to, such as what we saw in this attack.”
EMAIL PHISHING SCAMS MORE COMMON, MORE EXPENSIVE
The report drops amid a particularly lucrative period for phishing scams.
Proofpoint’s recent 2020 State of the Phish showed a 14 percent jump in U.S.
phishing attacks over the past year.
“Threat actors worldwide are continuing to target people with agile, relevant
and sophisticated communications—most notably through the email channel, which
remains the top threat vector,” Alan LeFort, senior vice president and general
manager of Security Awareness Training for Proofpoint said. “Ensuring users
understand how to spot and report attempted cyberattacks is undeniably
business-critical, especially as users continue to work remotely — often in a
less secured environment. While many organizations say they are delivering
security awareness training to their employees, our data shows most are not
doing enough.”
IS YOUR SMALL- TO MEDIUM-SIZED BUSINESS AN EASY MARK FOR ATTACKERS?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,”
a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you
making these mistakes, but our experts will help you lock down your small- to
mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar
on Wed., Feb. 24.
Share this article:
* Most Recent ThreatLists
* Web Security
SUGGESTED ARTICLES
PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
Jason Kent, hacker-in-residence at Cequence, found a way to exploit a Toyota API
to get around the hassle of car shopping in the age of supply-chain woes.
December 3, 2021
OMICRON PHISHING SCAM ALREADY SPOTTED IN UK
Omicron COVID-19 variant anxiety inspires new phishing scam offering fake NHS
tests to steal data.
December 3, 2021
WHAT ARE YOUR TOP CLOUD SECURITY CHALLENGES? THREATPOST POLL
We want to know what your biggest cloud security concerns and challenges are,
and how your company is dealing with them. Weigh in with our exclusive poll!
December 3, 2021
DISCUSSION
INFOSEC INSIDER
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
* HOW DECRYPTION OF NETWORK TRAFFIC CAN IMPROVE SECURITY
November 30, 2021
3
* HOW TO DEFEND AGAINST MOBILE APP IMPERSONATION
November 23, 2021
* ONLINE MERCHANTS: PREVENT FRAUDSTERS FROM BECOMING HOLIDAY GRINCHES
November 22, 2021
* 3 TOP TOOLS FOR DEFENDING AGAINST PHISHING ATTACKS
November 18, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
What keeps #CloudComputing security practitioners up at night? We want to know!
Weigh in on the biggest risks, chal… https://t.co/24oQHfESbM
16 hours ago
Follow @threatpost
NEXT 00:02 01:47 360p 720p HD 1080p HD Auto (360p) About Connatix V140482 Closed
Captions About Connatix V140482 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE