The research team based at CloudSEK, the digital risk expert, has recorded a recent uptick in evasive measures in large-scale email phishing campaigns.

The two techniques showing increased use in these cybercriminal projects include URL shorteners and reverse tunnels. Used in tandem, these methods help threat actors evade detection, allowing them to remain in operation for longer.

This recently revealed method differs from the far more common approach adopted by operators of registering domains with dedicated website hosting providers, which typically react to complaints by taking down online phishing sites.

Using reverse tunnels, attackers can locally host their phishing pages on computers under their control and route connections via an external service. Employing a URL-shortening tool, threat operators can generate brand-new links as and when they require them, helping them bypass detection.

Several of the phishing links are being refreshed in under 24 hours. As a result, tracking down and removing these domains becomes an increasingly challenging task.

Abuse of service

CloudSEK spotted a rise in the number of phishing-style campaigns that mix services for URL shortening and reverse tunnelling.

In a recent report, the risk expert stated that it found over 500 phishing websites being distributed and hosted this way.

By far, the most extensively abused services for reverse tunnelling identified by CloudSEK were Cloudflare’s Argo, Ngrok and LocalhostRun. The company also listed, and as the most prevalent URL shortening tools in use by threat operators.

Hackers use reverse tunnel services to shield phishing sites by managing all connections to a local server the bogus website is hosted on. As a result, any incoming connection is always resolved by the dedicated tunnel service before being forwarded to the locally based machine.

Identified examples

One instance of a phishing campaign that abuses these services that was uncovered by CloudSEK was a site impersonating YONO, the State Bank of India’s digital banking platform.

The URL that was employed by the threat actor was masquerading as “cutt[.]ly/UdbpGhs” and took victims to a domain listed as “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi”, which employed the Argo tunnel service supplied by Cloudflare.

The phishing page requests PAN card numbers, bank account credentials, mobile phone numbers and Aadhaar unique ID numbers.

CloudSEK has not disclosed how successful this particular phishing campaign was; however, it stated that malicious operators rarely utilise the same domain name for a time period longer than a day. It did note that threat operators do reuse the templates used to create phishing pages.

Sensitive data harvested through phishing sites can be put on sale via dark web forums or utilised by attackers to steal from banking accounts. If the information collected is from a business, the operator can also use it to unleash ransomware attacks, or other malicious activities like business email compromise (BEC) attacks.

To defend against this kind of threat, enterprise professionals should always steer clear of clicking on any links in emails that they receive from a suspicious or unknown sender. Typing in a bank domain name manually is always the best method to avoid being directed to a phishing website.