The most often recommended piece of anti-phishing advice is for all users to “hover” over a URL link before clicking on it. It is great advice.
It does assume that the involved users know how to tell the difference between rogue and legitimate URL links. If you or someone you know does not know how to tell the difference between malicious and legitimate URL links, tell them to watch my one-hour webinar on the subject.
We are going to recommend a slight update on the rule. We will call it the Hover, Click, and Inspect Again Rule.
This is because a growing variety of technologies exists, some of them new, some of them old, which makes a one-time, initial inspection not enough. There are a growing number of ways to render URLs to make the first-time inspection difficult to impossible to rely on. Here are some of those techniques and technologies:
Any URL can be converted to a “shortened URL”. There are dozens of services around the Internet (e.g., goo.gl, t.co, bit.ly, etc.) that allow anyone to submit any URL, which will then create a newly rendered, almost always shorter, URL that points to the shortening service. When a user clicks on a shortened URL, it takes the user’s browser to the shortening service where it is then redirected to the longer URL that it is related to. For example, the shortened URL, https://tinyurl.com/5n92dk34, takes you to https://www.knowbe4.com/qr-code-phishing-security-test.
Short URLs complicate URL inspection because the shortened URL gives you no context to determine if the destination URL it is taking you to is legitimate or not. The best you can do is go to the involved URL shortening service, input the shortened URL, and have the service tell you what longer URL it is converted to (before actually being taken to the longer destination URL). For most people, if they do not want to do the intermediate check with the URL shortening service first, they are left with either not clicking on the shortened URL or clicking on it and then inspecting the URL that they ended up landing on as the final destination.
Quick Response (QR) codes are essentially a square barcode-like, where a graphic figure is used to represent letters, numbers, and symbols. These days, QR codes are usually encoded to represent URLs. The QR code below ends up converting to the long URL of the QR Code Phishing Security Test.
QR phishing has become very popular these days. Phishers will send out emails with QR codes instead of URLs, because they more easily evade most content filters and users often seem more willing to go to QR code-enabled URLs. These days, it is very common for malicious QR codes to be sent posing as popular brands, such as Microsoft. Below is an example of a phishing email containing a QR code (in this case, sent to one of Microsoft’s most popular leaders, Mark Russinovich, Azure CTO).
Source: Mark Russinovich’s via Twitter
It can be difficult to impossible to inspect a QR-encoded URL before your device’s browser heads there. So, you have two options. One, do not activate ANY untrusted QR codes. Two, pay attention to the destination URL where the QR code takes you to.
Malicious Open Redirects
Malicious open redirects can be the trickiest of all social engineering hacker tricks. Our long-term advice is for users to hover over the originating URL, and if the URL is pointing to a legitimate location, then click on it. Malicious open redirects take advantage of this advice by looking for legitimate websites that allow an unauthorized third party to add on more information to the legitimate URL that will take any user clicking on it to an additional, unauthorized website. In order for this to work, the involved legitimate website must have a coding vulnerability that allows other, unauthorized attackers to append the original, legitimate URL with the attacker’s destination URL.
For example, in this malicious open redirect attack from years ago, the legitimate vendor Adobe had an open redirect variable allowed to be appended to any URL that involved legitimate adobe.com. In this particular case, the variable that allowed the open redirect was “p1”. Here is an example of that Adobe open redirect (now long fixed):
Any URL associated with variable p1 would cause a visiting user’s browser to automatically be redirected to that website, in this example case, a fake www.maliciousdomain.com. Any user hovering over the original link would see adobe.com as the legitimate domain, and yes, that is where the user is at first going to be taken. But then because of a coding vulnerability, any attacker sending a user, in a phishing email or compromised website, the link above with the p1 variable utilized, could be used to send the user to another unauthorized destination.
Malicious open redirects happen all the time. Here are some other example news stories regarding open redirect attacks:
There are at least a half dozen other ways, if not dozens of other ways, to trick a user into thinking they are clicking on one thing, but then taking them somewhere else. All these tricks just reinforce that hovering and inspecting a link before clicking on it isn’t foolproof. Sometimes it takes additional inspections, and the final destination URL is really the one that counts the most.
The answer to all of these malicious tricks is either not to click at all or to re-inspect the final destination URL after clicking on the original URL. In nearly all malicious scenarios, the URL you first click on does not end up being the URL you are interacting with over the entirety of the scam. Usually, malicious HTML code or scripting moves potential victims along across a variety of changing URLs. This is often done to make it harder for law enforcement and other defenders to locate and mitigate the malicious content. But eventually, all potential victims will end up at a non-changing destination URL. It is that destination URL, where the user ends up, that needs to be inspected. Is that URL located in a safe, trusted domain, or does it look less trustworthy?
Legitimate URLs start off with safe, trusted locations and (usually) end there as well. Not all the time, but usually. For example, when you click on a QR code claiming to be from Microsoft, does the URL you are ultimately presented with show that you are in the microsoft.com domain or somewhere else? Legitimate Microsoft QR codes will take you to microsoft.com. Rogue QR codes will take you somewhere else.
Note: When in doubt about any originating URL or QR code, simply do not click on it or activate it. The safest response is not to follow the URL. But if you are unsure and want to follow URLs you are not sure about, realize you are taking additional risks. If your device and software is up to date, usually simply opening a new URL alone, even a malicious URL, will not result in a successful exploitation.
Most of the time, the victim needs to not only visit the malicious URL, but then somehow be tricked into executing further malicious content. But there are zero-day exploits that might be able to execute rogue content without any additional input from the end user (they are also known as “silent drive-by downloads”). So, the safest thing is not to visit any suspected URL. When in doubt, chicken out!
Time to update your advice. Instead of simply saying “hover!” say “Hover, Click, and Inspect Again”. It is not as easy to say and explain, but it is better advice.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.