Disguised Phishing Links
The Cloudflare 2023 Phishing Threats Report highlights the tactic of indirectly linking to malware. This can involve the target receiving an email, text or embedded link to a superficially harmless or trusted site which in-turn has links to other sites. The initial destination might be infected itself or could be the beginning of a chain of benign pages that at some stage will lead to malware. The purpose of this approach is to bypass software and systems such as Clouflare itself that aim to block potentially harmful content before it can be acted upon by the unwary recipient. If an email appears to come from a reliable source and has no detectable harmful content it is going to get through most malware filters.
Hackers have taken a more sophisticated approach by sending data including initially reliable links but weaponising those links after any data has been received, scanned and displayed to the target. If the hacker owns the linked site they are free to add any malware code whenever they like. This could be in the gap between sending emails on a Sunday and their opening on Monday morning. This does require a degree of work on the hacker’s part. The site needs to be set up to look like a reputable site and linked with a believable fake url; spoofing the original domain. These sites are unlikely to be active for long. They will soon be taken down or blocked by security systems or Internet Service Providers but they only need to be online long enough to fool the target. The imitation site code is not wasted and can be linked to another url for subsequent attacks. Another plan is to compromise a genuine site in the time between sending and opening the phishing email. The hacker may already have admin access to the site but will be careful not to add any active malware code until they are ready for an attack. As already mentioned this active target may not be the first site linked to by the phishing request.
Cloudflare describe a cleverly executed example that took place in July 2022. The attack began with text messages containing alerts to log in to a Cloudflare account. The link in the text went to a url that was very similar to the genuine Cloudflare-Okta log in page. This fake url had been registered less than 40 minutes before the texts were sent. The rogue page was essentially similar to the genuine Cloudflare-Okta log in; asking for a user name and password. ‘Successful’ entry of account details led to the silent download of software including the AnyDesk remote access software. The rogue credential checker used a Time-Based One Time Password as part of its sign in process. This might require Multi-Factor Authentication (MFA) from the user. As that user will be the same as had received the original text phishing message; organising such a link would not be a problem and highlights an example that MFA cannot always be trusted. Cloudflare itself relies on a physical security key to validate access not a MFA system. It is interesting to note that any such attack would depend on knowing that a target is using Cloudflare and a mobile number for that user. It could not have been implemented without a prior data breach or lax data security within the target organisation.
The example also highlights the risks from multichannel phishing. Security systems expect malicious links to come from emails and are relatively good at filtering received mail and disabling links. Other media that could legitimately contain links include text messages, WhatsApp conversations or in the chat features of meeting software such as Zoom or Teams. These destinations may be harder to guess than emails where a company format (such firstname.lastname_at_companyurl) is usually in place but genuine contact data can be purchased with relative ease from reputable or less scrupulous suppliers.
Users need to be aware of additional phishing threats on a Monday morning or following a national holiday. It is quite likely that this will be a time with a noticeable backlog of emails that the user will need to wade through and hopefully avoid trashing the important ones. This is often a busy part of the working week making it equally ideal to send phishing texts. Again the recipient needs to be particularly vigilant and consider if requests need to be acted upon immediately. Any automated filtering system needs to consider how recently any domains linked to have been in existence. As this requires a web search rather than a simple look up against a local black or white list of approved sites it may not always be practical. Staff education and awareness of phishing techniques will always be a strong deterrent to malware attacks.