Attackers Exploit URL Protections to Disguise Phishing Links
Summary:
Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites. This sophisticated tactic has reportedly targeted hundreds of companies. URL protection services typically work by copying, rewriting, and embedding original URLs within a new, "wrapped" link. When users click on these links, an email security scan is triggered. If the scan clears the URL, users are redirected to the site; if not, they are blocked.
However, attackers have found ways to manipulate these services. By compromising accounts, they gain access to the URL protection service, allowing them to rewrite their own phishing URLs and disguise their malicious intent. This tactic, known as conversation hijacking, lets attackers impersonate account owners, send phishing emails from compromised accounts, and examine email communications.
To exploit the URL protection service, attackers either access internal systems to get the phishing URL rewritten (which is rare) or more commonly, send an outbound email to themselves using the compromised account, embedding the phishing link. The URL protection service then rewrites the link, which the attacker uses in subsequent phishing emails targeting the organization’s employees.
Security Officer Comments:
This method bypasses many traditional email security tools, which often fail to detect these tactics. The use of trusted security brands can give users a false sense of security, increasing the likelihood of clicking on malicious links. In addition to this method, attackers are using QR codes (quishing attacks) and leveraging popular legitimate services to conduct phishing campaigns, making it harder for security tools to distinguish between malicious and benign emails.
Suggested Corrections:
Recommendations from Barracuda Networks:
The most effective defense is a multilayered approach, with various levels of security that can detect and block unusual or unexpected activity, however complex. Solutions that include machine-learning capabilities, both at the gateway level and post-delivery, will ensure companies are well protected. As with all email-borne threats, security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.
Link(s):
https://www.infosecurity-magazine.com/news/attackers-exploit-url-protections/
https://blog.barracuda.com/2024/07/15/threat-spotlight-attackers-abuse-url-protection-services
Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites. This sophisticated tactic has reportedly targeted hundreds of companies. URL protection services typically work by copying, rewriting, and embedding original URLs within a new, "wrapped" link. When users click on these links, an email security scan is triggered. If the scan clears the URL, users are redirected to the site; if not, they are blocked.
However, attackers have found ways to manipulate these services. By compromising accounts, they gain access to the URL protection service, allowing them to rewrite their own phishing URLs and disguise their malicious intent. This tactic, known as conversation hijacking, lets attackers impersonate account owners, send phishing emails from compromised accounts, and examine email communications.
To exploit the URL protection service, attackers either access internal systems to get the phishing URL rewritten (which is rare) or more commonly, send an outbound email to themselves using the compromised account, embedding the phishing link. The URL protection service then rewrites the link, which the attacker uses in subsequent phishing emails targeting the organization’s employees.
Security Officer Comments:
This method bypasses many traditional email security tools, which often fail to detect these tactics. The use of trusted security brands can give users a false sense of security, increasing the likelihood of clicking on malicious links. In addition to this method, attackers are using QR codes (quishing attacks) and leveraging popular legitimate services to conduct phishing campaigns, making it harder for security tools to distinguish between malicious and benign emails.
Suggested Corrections:
Recommendations from Barracuda Networks:
The most effective defense is a multilayered approach, with various levels of security that can detect and block unusual or unexpected activity, however complex. Solutions that include machine-learning capabilities, both at the gateway level and post-delivery, will ensure companies are well protected. As with all email-borne threats, security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.
Link(s):
https://www.infosecurity-magazine.com/news/attackers-exploit-url-protections/
https://blog.barracuda.com/2024/07/15/threat-spotlight-attackers-abuse-url-protection-services