Phishing sites are common, but this week the internet found a strange strain that’s a little rarer: a phishing site with a URL almost a thousand characters long. Experts have a good theory about why a scammer would go to all that trouble.
We learned of a strange phishing campaign which uses an unusually long URL. The mail purports to come from your email provider, telling you that your account has been blacklisted due to multiple login failures. The phisher tries to hook your mail login credentials by getting you to log in again, but of course, the link it provides isn’t really a link to your login provider’s page.
Phishing links generally arrive behind an innocuous piece of text like ‘log in’, ‘reauthorise’ or ‘validate’. Hyperlinks separate the text from the actual links that they follow, though, and unless a victim hovers over the text or right-clicks it, or checks the address bar of their browser after clicking on the link, they won’t know what sites they’re really visiting.
Phishers are aware of this and diligent ones will try to lure you with a URL that looks plausible. They’ll use tricks like top-level domains (TLDs) designed to look like the last couple of words in a legitimate domain, or homographs that use foreign character sets to create English-looking letters. Hyphens and subdomains are also a good way of creating URLs that look like a legitimate site at first glance.
This phisher didn’t bother with any of that. The link they provided was a domain that looked nothing like the recipient’s email domain. Moreover, it also used a ridiculously long combination of subdirectory and page name (those are the folders and actual pages after the top level domain name). The total URL was almost a thousand characters long.
Eduardo Schultze at the Threat intelligence team lead at Axur, which uses AI to help companies with online brand protection and digital fraud detection. Eduardo Schultze, also a representative on the Anti-Phishing Working Group, an industry group that combats phishing scammers. He said:
The interesting thing is that the phishing [site] doesn’t allow you to type your email but it instead grabs it from the “email” parameter in the URL from the person who received the phishing.
This isn’t a one-off. An analysis of the weird URL by web site analysis service URLscan shows over 1100 phishing pages with a similar structure and files, suggesting that they could be coming from the same phishing kit. It also shows over 180 phishing domains hosted at the same Hong Kong-based IP address, but serving different domains.
So, what’s going on? Schultze points out that because this phishing URL uses subdirectories, it’s possible for it to take the phishing victim into a variety of folders:
The more you click, the deeper you go into the actual phishing landing page.
This feeds into the theory that the phisher is hiding the location of the phishing files on the hacked server. Stefanie Ellis, portfolio marketing manager at brand protection company Clarivate Analytics and also a representative for the APWG, has seen a small proportion of phishing sites using 500 characters or more. She said:
There’s nothing in the configuration of the URL that prevents us from detecting the site so we have to think it’s related to hiding on the server, or generally making the investigation more time-consuming or frustrating for the host.
It isn’t clear whether the variety of folders were randomly scripted or manually created, but no matter: a determined anti-phishing investigator will quickly work out that it’s a scam domain. Said Ellis:
It’s creative, but at the end of the day a longer URL is not going to prevent detection, blocking, or mitigation of the phishing site.
However, while this ridiculously long URL might alert desktop users to something phishy, infosecurity expert Spencer Alessi points out, mobile users might be oblivious:
They seem to like long URL business because of how the URL displays on mobile. iOS typically, for example, shows the front of the url as opposed to the root domain.
ALWAYS CHECK ROOT DOMAINS AND HEADERS OF EMAILS.
So I would have this as an example:
The iPhone or an iOS device might trunctuate and display only the front or the back of the URL above like this:
This can be misleading because its taken out of context and the URL does not belong to Google its a deception and has been used in the phishing community for decades.