New Phishing Campaign Uses URLs Containing Almost 1,000 Characters

code on screen

An ongoing phishing campaign is currently targeting users with links that in some cases contain almost 1,000 characters.

The campaign begins with an attack email informing the recipient that their email account has been blacklisted due to a “subsequent verification failure” involving their mail network server. The email goes on to explain that the recipient will lose access to their email account unless they go through the proper verification channels. This involves clicking on a “Confirm Your Email” link contained within the message of the attack email.

Clicking on the link redirects the user to a landing page with a customized login form, per their email account’s domain. These pages are unique, however, in that their URLs are unusually long, non-sensical strings consisting of repeated letters and numbers. Derek from My Online Security observed that the shortest link was 400 characters in length, for example. Meanwhile, the longest URL he spotted was just shy of 1,000 characters.

Lawrence Abrams, creator and owner of Bleeping Computer, thinks that digital attackers could be creating such long URLs in “an effort to obfuscate the intent or to hide information in them.”

If that’s the case, creating 1,000-character URLs represents just the latest tactic by which fraudsters are known to disguise their phishing links. They’ve used plenty of other techniques in the past. For instance, Ars Technica reported on an attack back in June 2017 where bad actors used a technique known as “URL padding” to disguise their phishing links. Specifically, they inserted enough hyphens into the subdomains for their phishing landing pages that they were able to conceal their attacks’ true domains.

Digital attackers didn’t stop there, however. In other campaigns, they’ve used Unicode domains that go beyond conventional ASCII characters found in most web domains to trick users into visiting lookalike domains. Security researcher Xudong Zheng demonstrated this use of Unicode domains for conducting phishing attacks by registering the domain “xn–pple-43d.com.” This domain’s appearance is equivalent to “apple.com,” but its actual destination is different than the legitimate Apple domain in that it uses a Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061).

In contrast to making excessively long links, phishers have also gone the complete opposite direction by using URL shorteners to disguise their attacks. These services, such as bit.ly and goo.gl, don’t just conceal the display name of the shortened URL. They also prevent security conscientious users from discovering the true destination of a URL when they hover over it. Bad actors have capitalized on this behavior to target Yahoo!, Gmail and other email providers in an attempt to steal information from unsuspecting recipients, as uncovered by PhishMe.

Taken together, the tactics described above reveal how digital attackers are constantly innovating new ways through which they can prey upon users. Organizations can help defend against these creative campaigns by educating employees to be on the lookout for suspicious emails that warn them how they’re about to lose access to their email accounts. They can also emphasize the importance of verifying a URL included within an email before they click on it.  

But organizations also need to account for when their employees miss these warning signs, especially as digital attackers continue to come up with new campaigns. Towards that end, they should employ an email security solution that analyzes emails not just for URLs but also for their IP addresses, phrases, patterns, behavior and malware signatures. This tool should provide real-time protection in that it should dynamically filter out potential threats while keeping the right emails flowing to their intended destination.

Up your organization’s defenses against ridiculously long URLs and other phishing tactics today.