Threat hunters say they’ve seen a concerted rise in the use of a phishing tactic designed to bypass traditional email defenses by subtly changing the prefixes (a.k.a. schemes) of malicious URLs in hyperlinks.
In other words, rather than a URL beginning with “http://” it instead starts with “http:/”. Yet the rest of the URL remains the same. “The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected,” explains a blog post today from the GreatHorn Threat Intelligence Team.
Email recipients generally won’t immediately notice the issue either because the malicious link is hidden behind a call-to-action button such as “Click Here.” Or “Play Audio.” However, even if they were to check out the authenticity of the link before clicking, it’s possible users would still not notice the very minute change in the prefix.
The trick works because the double slashes in URL addresses are entirely extraneous, and do not play an actual role in directing users to a given website. “Whether you place the // or make it a /, the URL takes you to the same destination because nothing is actually being communicated within this part of the protocol,” said Kevin O’Brien, GreatHorn co-founder and CEO, in an email interview.
Explaining further, O’Brien said the attackers are essentially taking advantage of a loophole that exploits differences in how email defenses treat URLs and how web browsers interpret URL hyperlinks: “Traditional defenses are looking for strict adherence to the http spec, which says a valid URL is prefixed with either https:// or http://,” he said. “But browsers are forgiving and assume you meant to do // when you accidentally type / , so they fix it for you and automatically convert it to http:// which takes you to the destination.”
“The browser will say, 'Oh, I know what you meant' and take you there.”
URL alteration has long existed as a trick of phishing scammers, and there were differing viewpoints among experts as to just how new this technique is. GreatHorn told SC Media this particular tactic was only previously seen in small “one-off scams,” until a sudden surge in this technique that began in October 2020 and escalated further in January 2021.
“Cybercriminals will develop a new technique and after using it themselves, will either sell a phishing kit in dark web forums or other cybercriminals will identify the technique and leverage it for their own nefarious activities,” said O’Brien. “It appears that this technique has been rapidly adopted across a wide network in recent months.”
According to the company, a high-volume credential phishing campaign leveraging this technique has especially targeted Office 365 users, with notable high rates of incidents against companies in the following verticals: pharmaceutical, lending, general contracting and construction management, and telecom/broadband.
Some of the phishing emails impersonated a voicemail-over-email service as a lure, and used additional deception tactics including spoofed display names and the use of open redirection domains. Users who clicked on the call-to-action button were taken to a lookalike landing page where they were asked to shared their credentials.
James Hoddinott, M3AAWG technical messaging committee co-chair, said URL manipulation tactics “have existed for quite a while, especially since email clients supporting HTML became popular.” But Josh Douglas, vice president of product management and threat intelligence at Mimecast, said this particular campaign takes URL manipulation “a step further because typically this has been thought of as only a web security issue; however, email and web activities are very closely intertwined.”
“Some systems may never detect these types of deception attacks because they think of security as an isolated case of detection vs an ecosystem of sharing," said Douglas. "They also only look at it in the context of their domain vs email knowing about web, and web knowing about email.”
That’s why having well-integrated email and web security systems that support each other is important. “Security teams should be heavily focused on tiered defense, with email and web security systems that can share information and cross-validated deceptions like the one outlined,” Douglas explained.
Other recommendations offered up by experts included security awareness training for employees, using browser isolation with email, and implementing a more robust advanced email security solution with features such as machine vision and artificial intelligence that can help identify and block credential theft attempts.
As for traditional email scanners, “The use of multiple filtration strategies should be applied by the scanners,” said Hoddinott. “Even with this manipulation, a domain and URL path are easily recognized by the filtration system.” Additionally, “reputation systems and string matching can be employed whether or not the scheme, port, or even HTTP authentication parts are used by the attacker.”