Cybercriminals have found a devious new way to trick you with phishing scams

Person typing
(Image credit: Shutterstock)
Audio player loading…

Cybercriminals are constantly changing their tactics in order for their attacks to avoid detection and security researchers from GreatHorn (opens in new tab) have discovered a new phishing (opens in new tab) campaign capable of bypassing traditional URL defenses.

While many phishing scams involve changing the letters of a popular site's URL in order to trick users into navigating to fake landing pages, this new campaign changes the symbols used in the prefix that goes before the URL.

The URLs used in the campaign are malformed and don't utilize normal URL protocols (opens in new tab) such as http:// or https://. Instead, they use http:/\ in their URL prefix. As a colon and two forward slashes have always been used in the standard URL format, most browsers (opens in new tab) automatically ignore this factor.

As a result, the cybercriminals behind this new campaign are able to ensure that their phishing pages are able to get around many email scanners (opens in new tab) and reach their intended targets.

Malformed prefix attacks

According to a new blog post (opens in new tab) from the GreatHorn Threat Intelligence Team, these malformed prefix attacks first emerged in October of last year and gained momentum through the end of the year. In fact, between the first week of January and early February, the volume of email phishing attacks utilizing malformed URL prefixes increased by a whopping 5,933 percent.

While these phishing attempts have been identified at organizations across a variety of industries, organizations in the pharmaceutical, lending, construction and cable verticals are being targeted at a higher rate than others. Additionally, organizations running Office 365 (opens in new tab) were the targets of these attacks at a much higher rate than those running Google Workspace (opens in new tab) as their cloud email environment.

In one such attack identified by GreatHorn, the phishing email led to a fake landing page that was nearly identical to a Microsoft Office (opens in new tab) login page. If an unsuspecting user tried to login on this page, they would be providing the attackers with their credentials which would give them access to their email contact lists and other sensitive data found in their cloud storage (opens in new tab).

To prevent falling victim to a malformed prefix attack, GreatHorn recommends that organizations provide their employees with training on how to spot a suspicious URL prefix. At the same time though, security teams should search their organization's email for any messages containing URLs that match this threat pattern and remove them.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.