Malicious URLs In Phishing Emails: Hover, Click and Inspect Again



Hover Click and Inspect AgainThe most often recommended piece of anti-phishing advice is for all users to “hover” over a URL link before clicking on it. It is great advice.

It does assume that the involved users know how to tell the difference between rogue and legitimate URL links. If you or someone you know does not know how to tell the difference between malicious and legitimate URL links, tell them to watch my one-hour webinar on the subject.

We are going to recommend a slight update on the rule. We will call it the Hover, Click, and Inspect Again Rule.

Growing Trickery

This is because a growing variety of technologies exists, some of them new, some of them old, which makes a one-time, initial inspection not enough. There are a growing number of ways to render URLs to make the first-time inspection difficult to impossible to rely on. Here are some of those techniques and technologies:

Short URLs

Any URL can be converted to a “shortened URL”. There are dozens of services around the Internet (e.g., goo.gl, t.co, bit.ly, etc.) that allow anyone to submit any URL, which will then create a newly rendered, almost always shorter, URL that points to the shortening service. When a user clicks on a shortened URL, it takes the user’s browser to the shortening service where it is then redirected to the longer URL that it is related to. For example, the shortened URL, https://tinyurl.com/5n92dk34, takes you to https://www.knowbe4.com/qr-code-phishing-security-test.

Short URLs complicate URL inspection because the shortened URL gives you no context to determine if the destination URL it is taking you to is legitimate or not. The best you can do is go to the involved URL shortening service, input the shortened URL, and have the service tell you what longer URL it is converted to (before actually being taken to the longer destination URL). For most people, if they do not want to do the intermediate check with the URL shortening service first, they are left with either not clicking on the shortened URL or clicking on it and then inspecting the URL that they ended up landing on as the final destination. 

QR Codes

Quick Response (QR) codes are essentially a square barcode-like, where a graphic figure is used to represent letters, numbers, and symbols. These days, QR codes are usually encoded to represent URLs. The QR code below ends up converting to the long URL of the QR Code Phishing Security Test

 

 

 

 

 

 

 

 

QR phishing has become very popular these days. Phishers will send out emails with QR codes instead of URLs, because they more easily evade most content filters and users often seem more willing to go to QR code-enabled URLs. These days, it is very common for malicious QR codes to be sent posing as popular brands, such as Microsoft. Below is an example of a phishing email containing a QR code (in this case, sent to one of Microsoft’s most popular leaders, Mark Russinovich, Azure CTO).

Source: Mark Russinovich’s via Twitter 

It can be difficult to impossible to inspect a QR-encoded URL before your device’s browser heads there. So, you have two options. One, do not activate ANY untrusted QR codes. Two, pay attention to the destination URL where the QR code takes you to.

Malicious Open Redirects

Malicious open redirects can be the trickiest of all social engineering hacker tricks. Our long-term advice is for users to hover over the originating URL, and if the URL is pointing to a legitimate location, then click on it. Malicious open redirects take advantage of this advice by looking for legitimate websites that allow an unauthorized third party to add on more information to the legitimate URL that will take any user clicking on it to an additional, unauthorized website. In order for this to work, the involved legitimate website must have a coding vulnerability that allows other, unauthorized attackers to append the original, legitimate URL with the attacker’s destination URL.

For example, in this malicious open redirect attack from years ago, the legitimate vendor Adobe had an open redirect variable allowed to be appended to any URL that involved legitimate adobe.com. In this particular case, the variable that allowed the open redirect was “p1”. Here is an example of that Adobe open redirect (now long fixed):

http:// t-info.mail.adobe.com/r/?id=hc43f43t4a,afd67070,affc7349&p1=t.mid.accor-mail.com/r/?id=159593f159593159593,hde43e13b13,ecdfafef,ee5cfa06&p1=www.maliciousdomain.com.

Any URL associated with variable p1 would cause a visiting user’s browser to automatically be redirected to that website, in this example case, a fake www.maliciousdomain.com. Any user hovering over the original link would see adobe.com as the legitimate domain, and yes, that is where the user is at first going to be taken. But then because of a coding vulnerability, any attacker sending a user, in a phishing email or compromised website, the link above with the p1 variable utilized, could be used to send the user to another unauthorized destination.

Malicious open redirects happen all the time. Here are some other example news stories regarding open redirect attacks:

There are at least a half dozen other ways, if not dozens of other ways, to trick a user into thinking they are clicking on one thing, but then taking them somewhere else. All these tricks just reinforce that hovering and inspecting a link before clicking on it isn’t foolproof. Sometimes it takes additional inspections, and the final destination URL is really the one that counts the most.

The Solution

The answer to all of these malicious tricks is either not to click at all or to re-inspect the final destination URL after clicking on the original URL. In nearly all malicious scenarios, the URL you first click on does not end up being the URL you are interacting with over the entirety of the scam. Usually, malicious HTML code or scripting moves potential victims along across a variety of changing URLs. This is often done to make it harder for law enforcement and other defenders to locate and mitigate the malicious content. But eventually, all potential victims will end up at a non-changing destination URL. It is that destination URL, where the user ends up, that needs to be inspected. Is that URL located in a safe, trusted domain, or does it look less trustworthy? 

Legitimate URLs start off with safe, trusted locations and (usually) end there as well. Not all the time, but usually. For example, when you click on a QR code claiming to be from Microsoft, does the URL you are ultimately presented with show that you are in the microsoft.com domain or somewhere else? Legitimate Microsoft QR codes will take you to microsoft.com. Rogue QR codes will take you somewhere else.

Note: When in doubt about any originating URL or QR code, simply do not click on it or activate it. The safest response is not to follow the URL. But if you are unsure and want to follow URLs you are not sure about, realize you are taking additional risks. If your device and software is up to date, usually simply opening a new URL alone, even a malicious URL, will not result in a successful exploitation.

Most of the time, the victim needs to not only visit the malicious URL, but then somehow be tricked into executing further malicious content. But there are zero-day exploits that might be able to execute rogue content without any additional input from the end user (they are also known as “silent drive-by downloads”). So, the safest thing is not to visit any suspected URL. When in doubt, chicken out! 

Time to update your advice. Instead of simply saying “hover!” say “Hover, Click, and Inspect Again”. It is not as easy to say and explain, but it is better advice.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Topics: Phishing



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews