threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/
Submission: On May 22 via manual from UA — Scanned from DE
Submission: On May 22 via manual from UA — Scanned from DE
Form analysis 3 forms found in the DOM
POST /malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malformed-url-prefix-phishing-attacks-spike-6000/164132/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1653203096107">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Name
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Mysterious Silver Sparrow Malware Found Nesting on 30K MacsPrevious article
* Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11Next
article
MALFORMED URL PREFIX PHISHING ATTACKS SPIKE 6,000%
Author: Becky Bracken
February 19, 2021 4:06 pm
3 minute read
Share this article:
*
*
Sneaky attackers are flipping backslashes in phishing email URLs to evade
protections, researchers said.
Researchers from GreatHorn report they have observed a nearly 6,000-percent jump
in attacks using “malformed URL prefixes” to evade protections and deliver
phishing emails that look legit. They look legit, that is, unless you look
closely at the symbols used in the prefix before the URL.
“The URLs are malformed, not utilizing the normal URL protocols, such as http://
or https://,” researchers
Click to Register
said in a blog post about their findings. “Instead, they use http:/\ in their
URL prefix.”
The slashes in the address are largely superfluous, the GreatHorn report
explained, so browsers and many scanners don’t even look at them.
Typosquatting is a common phishing email tactic where everyday business names
are mispelled, like “amozon.com” — to try and trick unobservant users into
clicking. But these days, researchers explained, most people know to look for
these kinds of email scams, so threat actors have had to evolve too.
EMAIL PROTECTIONS IGNORE BACKSLASHES IN URL PREFIX
“The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning
programs, allowing them to slip through undetected,” researchers said. “They may
also slip past human eyes that aren’t accustomed to looking in the prefix for
signs of suspicious activity.”
The researchers reported they first noticed this new tactic last October, and
said that it has been quickly gaining momentum ever since — with attacks between
January and early February spiking by 5,933 percent, they said.
WHAT DOES A MALFORMED URL ATTACK LOOK LIKE?
GreatHorn provided an example of a malformed URL phishing email with the
address:
“http:/\brent.johnson.australiasnationalskincheckday.org.au//exr/brent.johnson@impacteddomain.com”
The phishing email appears to be sent from a voicemail service; the researchers
explained. The email contains a link to play the voice message “Play Audi
Date.wav” which redirects to a malicious site, the team reported.
A phishing page with a ReCAPTCHA. Source: GreatHorn.
“The website even includes a reCAPTCHA, a common security feature of legitimate
websites, showing the sophistication and subtlety of the attempted attack,” they
explained.
The next page looks like an Office login page and asks for a username and
password, the report said. Once entered, the attackers have control of the
account credentials.
Office 365 users were far more likely to experience this type of breach, the
report added, at a “much higher rate than organizations running Google Workspace
as their cloud email environment.”
A fake Microsoft sign-in page. Source: GreatHorn.
The attackers using these malformed URLs have engaged in a variety of tactics to
deliver their malware, including using a spoofed display name to impersonate the
user’s company internal email system; avoiding scanners searching for “known
bad” domains by sending from an address with no established relationship with
the business; embedding a link in phishing emails which opens a redirector
domain; and using language to give the user a sense of “urgency” in the message,
the report explained.
The report recommended “that security teams search their organizational email
for messages containing URLs that match the threat pattern (http:/\) and remove
any matches,” to keep their systems protected.
An example of an email with an “audio message” alert. Source: GreatHorn.
Kevin O’Brien, CEO and co-founder of GreatHorn, told Threatpost that these
malformed URL attacks could be mitigated through third-party solutions able to
perform more nuanced analysis.
“There are a variety of API-native solutions that have come into the market in
the last five years,” O’Brien said. “Many of these solutions are designed to
specifically address the kinds of threats that both legacy secure email gateways
and platforms are incapable of analyzing or identifying, providing robust
remediation options, and highlighting to users when they’re about to go
somewhere they don’t need to go to, such as what we saw in this attack.”
EMAIL PHISHING SCAMS MORE COMMON, MORE EXPENSIVE
The report drops amid a particularly lucrative period for phishing scams.
Proofpoint’s recent 2020 State of the Phish showed a 14 percent jump in U.S.
phishing attacks over the past year.
“Threat actors worldwide are continuing to target people with agile, relevant
and sophisticated communications—most notably through the email channel, which
remains the top threat vector,” Alan LeFort, senior vice president and general
manager of Security Awareness Training for Proofpoint said. “Ensuring users
understand how to spot and report attempted cyberattacks is undeniably
business-critical, especially as users continue to work remotely — often in a
less secured environment. While many organizations say they are delivering
security awareness training to their employees, our data shows most are not
doing enough.”
IS YOUR SMALL- TO MEDIUM-SIZED BUSINESS AN EASY MARK FOR ATTACKERS?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,”
a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you
making these mistakes, but our experts will help you lock down your small- to
mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar
on Wed., Feb. 24.
Share this article:
* Most Recent ThreatLists
* Web Security
SUGGESTED ARTICLES
CRITICAL VULNERABILITY IN PREMIUM WORDPRESS THEMES ALLOWS FOR SITE TAKEOVER
Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin
affects more than 90,000 sites.
May 19, 2022
THREAT ACTORS USE TELEGRAM TO SPREAD ‘ETERNITY’ MALWARE-AS-A-SERVICE
An account promoting the project—which offers a range of threat activity from
info-stealing to crypto-mining to ransomware as individual modules—has more than
500 subscribers.
May 13, 2022
TOP THREATS YOUR BUSINESS CAN PREVENT ON THE DNS LEVEL
Web-filtering solutions, a must-have for businesses of any size, will protect
your corporate network from multiple origins.
May 5, 2022
DISCUSSION
INFOSEC INSIDER
* CLOSING THE GAP BETWEEN APPLICATION SECURITY AND OBSERVABILITY
May 20, 2022
* YOU CAN’T ELIMINATE CYBERATTACKS, SO FOCUS ON REDUCING THE BLAST RADIUS
May 12, 2022
* CANS REINVENT LANS FOR AN ALL-LOCAL WORLD
May 5, 2022
1
* BAD ACTORS ARE MAXIMIZING REMOTE EVERYTHING
May 2, 2022
* SKELETONS IN THE CLOSET: SECURITY 101 TAKES A BACKSEAT TO 0-DAYS
April 22, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
The U.S. Department of Justice indicts middle-aged doctor, accusing him of being
a malware mastermind. https://t.co/NKmXoNkDxS
20 hours ago
Follow @threatpost
NEXT 00:02 01:34 360p 720p HD 1080p HD Auto (360p) About Connatix V163329 Closed
Captions About Connatix V163329
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Elizabeth Montalbano
* Nate Nelson
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications