Security researchers have discovered a new tactic used by phishing gangs to conceal the URLs of fake websites from even the more savvy of victims.
Dubbed URL padding, cyber-criminals rely on the smaller sized address bars on mobile devices that stop users seeing the whole address. The user interface is abuse by crooks to pad out fake URLs with hyphens so it become very difficult to identify a phishing site by its web address.
In a blog post, Crane Hassold, senior security threat researcher at Phish Labs, said that the highest proportion of attacks are aimed at Facebook users. For example, he said he had witnessed one such example: “hxxp://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html”.
“Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain in this case is rickytaylk.com.” he said.
Hassold said that while this doesn’t look convincing on a desktop computer, when loaded into the smaller window of a mobile browser, it doesn’t look as obvious.
“In fact, with the phishing site setup as an almost perfect replica of Facebook’s genuine mobile login page, and the clever addition of the Facebook favicon in the address bar, this site looks remarkably genuine,” he said.
There were other examples he spotted deployed against users of Comcast, Craigslist, Offer Up and iCloud.
Hassold said that this style of phishing attack is very effective as users can’t hover over links on mobile devices and so determining whether or not a link is safe – or at the very least, it is much more difficult.
“Until you visit the site, you have no way of knowing whether it’s legitimate. And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain,” he added.
There’s very little inherent value in cracking a Facebook account as there is no monetary reward for doing so, but Hassold said that the main reason for targeting these particular websites is password reuse.
“Most people use the same email and password combination for almost all of their accounts, so stealing a single set of credentials can actually be highly profitable,” he said. So, cracking a Facebook account might reveal the credentials for other accounts belonging to the user which can be financially exploited.
The other motivation is the domino effect: cracking a Facebook account gives you trusted status when communicating with hundreds of other users.
“Instead of trying to profit directly, we believe threat actors are looking to use individuals’ Facebook accounts to send out even more phishing lures via status updates or private messages. And as we’ve already noted, most people have been conditioned to check mobile notifications immediately, making this a highly effective tactic.”
This new flavour of attack only reinforces the existing advice to users: stop and think before clicking that link.
This article originally appeared at scmagazineuk.com