Hackers caught abusing URL security tools to hide phishing links
Cybersecurity researchers recently discovered that hackers are abusing URL security tools to send phishing links to unsuspecting victims. “Hundreds of companies, if not more,” have been targeted.
When someone receives an email with a link, the tool copies and rewrites it, then embeds it in a new, rewritten link. So as soon as the recipient clicks on that link, a security scan is performed. In this new campaign, which is expected to start in mid-May 2024, the rewritten link led recipients to a phishing site.
Barracuda researchers don’t seem to know exactly how the hackers managed to trick the URL protection tool, but they suspect it was a result of a successful business email compromise (BEC) attack. They believe the attackers first gained access to the email inbox, analyzed the installed security tool, and then sent themselves an email with the phishing link.
Difficult to detect
Since the URL protection tool rewrites the phishing URL, they can then use that link to hide the malicious URL inside. These links were sent from domains like wanbf[.]com and clarelocke[.]com and are designed to look like DocuSign and password reset reminders.
“Traditional email security tools struggle to detect these attacks,” the researchers said. said in their article. “The most effective defense is a layered approach, with multiple levels of security that can detect and block unusual or unexpected activity, no matter how complex. Solutions that include machine learning capabilities, both at the gateway level and post-delivery, ensure that companies are well protected.”
Barracuda also said that no matter how advanced email security tools are, companies should always consider educating their employees on the latest email threats and how to spot and report them. People are the first and best line of defense, as software and automated tools, no matter how advanced, will always have solutions.