Criminals misuse URL protection to mask phishing attacks

Researchers at Barracuda Networks have identified a new method by which cybercriminals are exploiting legitimate URL protection services to embed malicious code in phishing emails. This technique, detailed in Barracuda’s Threat Spotlight report, involves using trusted security brands to mask phishing URLs, making it more likely for recipients to click on harmful links.

URL protection services are designed to rewrite all links in inbound emails and scan the destination website in real-time to block suspicious websites. However, attackers have managed to misuse these security tools, redirecting unsuspecting users to phishing pages intended to steal sensitive information.

Three major providers of URL protection services, used by high-profile organisations worldwide, have been targeted in these attacks. “This inventive tactic helps attackers to evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, Manager, Threat Analyst at Barracuda. Mohankumar also noted that URL protection providers might be unable to verify whether the redirect URL is used by an authorised user or an intruder.

From mid-May 2024 onwards, Barracuda’s researchers observed phishing attacks leveraging these URL protection services. Hundreds of companies have been affected so far. The URL protection mechanism works by rewriting the original URL link found in emails, scanning it, and redirecting users if the scan clears the URL. In this exploit, users are redirected to phishing pages designed to harvest sensitive data.

Barracuda researchers suggest that attackers initially gain access to URL protection services by compromising the email accounts of legitimate users. By taking over an email account, attackers can impersonate the account holder and infiltrate their communications, a tactic known as business email compromise (BEC) or conversation hijacking. Attackers then observe the use of URL protection services in email signatures or messages connected to compromised accounts, allowing them to understand which URL protection service is being used.

Using the compromised account, attackers send phishing emails to themselves, obtaining the necessary protection URL for their campaigns. This method enables them to bypass security measures since the phishing email appears to come from a trusted source and contains links vetted by secure URL protection services.

Mohankumar emphasised the persistence of phishing as a threat, noting, “Phishing is a powerful and often successful threat, and cybercriminals will continue to evolve their tools and techniques to maintain this. Security teams need to be prepared.”

To combat such sophisticated attacks, Barracuda recommends a multilayered, AI-powered approach to security. This strategy can detect and block unusual or unexpected activities, regardless of their complexity. It is also advised that organisations conduct regular security awareness training for employees to equip them with the skills to identify and report potential threats.