Cybercriminals are constantly changing their tactics in order for their attacks to avoid detection and security researchers from GreatHorn (opens in new tab) have discovered a new phishing (opens in new tab) campaign capable of bypassing traditional URL defenses.
While many phishing scams involve changing the letters of a popular site's URL in order to trick users into navigating to fake landing pages, this new campaign changes the symbols used in the prefix that goes before the URL.
The URLs used in the campaign are malformed and don't utilize normal URL protocols (opens in new tab) such as http:// or https://. Instead, they use http:/\ in their URL prefix. As a colon and two forward slashes have always been used in the standard URL format, most browsers (opens in new tab) automatically ignore this factor.
- We've built a list of the best antivirus (opens in new tab) software available
- These are the best identity theft protection (opens in new tab) solutions on the market
- Also check out our roundup of the best ransomware protection (opens in new tab)
As a result, the cybercriminals behind this new campaign are able to ensure that their phishing pages are able to get around many email scanners (opens in new tab) and reach their intended targets.
Malformed prefix attacks
According to a new blog post (opens in new tab) from the GreatHorn Threat Intelligence Team, these malformed prefix attacks first emerged in October of last year and gained momentum through the end of the year. In fact, between the first week of January and early February, the volume of email phishing attacks utilizing malformed URL prefixes increased by a whopping 5,933 percent.
While these phishing attempts have been identified at organizations across a variety of industries, organizations in the pharmaceutical, lending, construction and cable verticals are being targeted at a higher rate than others. Additionally, organizations running Office 365 (opens in new tab) were the targets of these attacks at a much higher rate than those running Google Workspace (opens in new tab) as their cloud email environment.
In one such attack identified by GreatHorn, the phishing email led to a fake landing page that was nearly identical to a Microsoft Office (opens in new tab) login page. If an unsuspecting user tried to login on this page, they would be providing the attackers with their credentials which would give them access to their email contact lists and other sensitive data found in their cloud storage (opens in new tab).
To prevent falling victim to a malformed prefix attack, GreatHorn recommends that organizations provide their employees with training on how to spot a suspicious URL prefix. At the same time though, security teams should search their organization's email for any messages containing URLs that match this threat pattern and remove them.
- We've also highlighted the best email services (opens in new tab)