Phishing Campaign Alters Prefix In Hyperlinks To Bypass Email Defenses

New Phishing Scheme With Altered URL Prefixes In Emails

Researchers the GreatHorn Threat Intelligence Team reported the latest phishing scheme designed to bypass a victim’s email client defenses by changing the prefixes (aka schemes) of malicious URLs.

The latest tactic used by email phishing attackers doesn’t rely on misspelled words in the URL nor similarly looking ones – a common practice used by cybercriminals to induce the user to open the malicious link. Instead, the researchers saw malicious URLs that start with “http:/\” instead of normal “http://” with the main body of the URL remaining the same.

“The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected,” the GreatHorn Threat Intelligence Team explained in their report. 

At the same time, most browsers ignore the prefixes, because they are always the same, and take a user directly to the web page. 

This type of attack involving malformed URL prefixes first appeared a while ago but is increasingly employed by cybercriminals. Just in January, the volume of such phishing attacks with malformed URLs increased by 5,933%, the GreatHorn researchers say.

Organizations in the following sectors are targeted more than others: pharmaceuticals, lending, general contracting and construction management, cable, mobile and high-speed broadband. In addition, bad actors target organizations that use Office 365 much more often than organizations running Google Workspace.

In the report, the researchers detail a phishing campaign in which the scammer impersonates a voicemail service and tries to make a user click on the following link:

http:/\brent.johnson.australiasnationalskincheckday.org.au//exr/brent.johnson@impacteddomain.com

Phishing Campaign Alters Prefix In Hyperlinks To Bypass Email Defenses

When the user clicks on the button “Play Audio…” they are redirected to a malicious website. After solving a CAPTCHA, the user sees a landing page that is identical to a Microsoft Office login page.

Phishing Campaign Alters Prefix In Hyperlinks To Bypass Email Defenses

If the user enters their login details, the scammers will get what they were after.

Organizations are advised to implement solutions that do not overlook malformed URL prefixes to block credential theft attempts described above.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share:

Share on facebook
Share on twitter
Share on linkedin