05 June 2022

EVASIVE PHISHING

Another non-stop for malicious activities reported in Bleeping Computer today

Evasive phishing mixes reverse tunnels and URL shortening services

Bill Toulas
  • June 5, 2022
  • 11:06 AM
    • BleepingComputer

    "Security researchers are seeing an uptick in the use of reverse tunnel services along with URL shorteners for large-scale phishing campaigns, making the malicious activity more difficult to stop.

    This practice deviates from the more common method of registering domains with hosting providers, who are likely to respond to complaints and take down the phishing sites.

    With reverse tunnels, threat actors can host the phishing pages locally on their own computers and route connections through the external service. Using a URL shortening service, they can generate new links as often as they want to bypass detection.

    Many of the phishing links are refreshed in less than 24 hours, making tracking and taking down the domains a more challenging task.

    Service abuse

    Digital risk protection company CloudSEK observed an increase in the number of phishing campaigns that combine services for reverse tunneling and URL shortening.

    In a report the company shared with BleepingComputer, researchers say they found more than 500 sites hosted and distributed this way.

    The most widely abused reverse tunnel services that CloudSEK found in their research are Ngrok, LocalhostRun, and Cloudflare's Argo. They also saw Bit.ly, is.gd, and cutt.ly URL shortening services being more prevalent.

    Reverse tunnel services shield the phishing site by handling all connections to the local server it is hosted on. This way, any incoming connection is resolved by the tunnel service and forwarded to the local machine.

    The modus operandi of the phishing actors
    The modus operandi of the phishing actors (CloudSEK)

    Victims interacting with these phishing sites end up with their sensitive data being stored directly on the attacker's computer.

    By using URL shortners, the threat actor masks the name of the URL, which is typically a string of random characters, CloudSEK says. Thus, a domain name that would raise suspicions is hidden in a short URL.

    According to CloudSEK, adversaries are distributing these links through popular communication channels like WhatsApp, Telegram, emails, text, or fake social media pages. 

    It is worth noting that misuse of these services isn’t new. For example, Cyble presented evidence of Ngrok abuse in February 2021. However, as per CloudSEK’s findings, the problem is getting worse. . ."

    Related Articles:

    Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack

    Microsoft disrupts Bohrium hackers’ spear-phishing operation

    RuneScape phishing steals accounts and in-game item bank PINs

    Telegram’s blogging platform abused in phishing attacks

    Intuit warns of QuickBooks phishing threatening to suspend accounts

     

    at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    The So-Called "Axis of Evil" Explained