Attackers are using techniques to alter URLs and send victims to rogue and potentially malicious domains.
Speaking at the Infosecurity Online event, Javvad Malik, security advocate at KnowBe4 recommended listeners to look for rogue URLs and “lookalike domains” in phishing messages as it is all too common for a URL to be changed.
Malik said: “A URL can be represented not in how we see it, but use IP addresses and special characters to hide what the real domain name is.” This can include percent encoding, and the URL can be directed elsewhere.
“One technique attackers use is to use a very long URL as people open on their phone and even if they try to expand it, they won’t expand whole thing and click on it anyway,” he said.
Some of the common tactics in phishing include a fake file attachment that is actually an image, which contains a URL, as well as open redirect URL attacks where you think you’re going to one site, “and it could be chain of redirects and it is quite scary.”
If you do need to open a URL, Malik recommended opening it in a safe virtual machine, or turn it over to a forensic expert who will have the right equipment and tools to do so. He also suggested researching the lifespan of the domain, as if it is younger it can be more risky. “Also see if it is on a blacklist,” he said, admitting that most bad domains have short lifespans as attackers remove them when they are detected as being bad.
Malik recommended the best defense for this issue as education, as if a user “hovers” over URLs they can see what the URL is. For business defenses, he also recommended the following:
- Stay Patched
- Don’t Knowingly Allow Code to Execute
- Don’t Download Unexpected Files
- Investigate or Ignore Suspicious URLs
- Execute Suspicious URLs in a Virtual Machine
- Submit to a Malware Inspection Service
Meanwhile for business defenses, he recommended the following:
- Anti-Malware Defenses
- Content Filtering
- Reputation Services
- Make sure Defenses Decode Encoding Before Inspecting
- Make sure Defenses Expand Short URLs
- Keep up to date on the Latest Malicious URL Trends