For large-scale phishing attacks, security researchers are noticing an increase in the use of reverse tunnel services and URL shorteners, making the malicious activity more difficult to stop.
This strategy differs from the more typical practice of registering domains with hosting companies, which are more likely to respond to complaints and take down phishing sites.
Threat actors can use reverse tunnels to host phishing pages on their own machines and route connections through an external service. They can produce fresh links as often as they wish to avoid detection by using a URL shortening provider.
Many of the phishing URLs are renewed every 24 hours or less, making it more difficult to track down and shut down the sites.
Abuse of the Service
CloudSEK, a digital risk management company, has noticed a rise in the amount of phishing attempts that combine reverse tunneling and URL shortening services.
Researchers detected more than 500 sites hosted and disseminated this way, according to a report given with BleepingComputer by the company.
Ngrok, LocalhostRun, and Cloudflare’s Argo are the most widely abused reverse tunnel services discovered by CloudSEK in their investigation. They also noticed an increase in the use of URL shortening services like Bit.ly, is.gd, and cutt.ly.
The phishing site is protected by reverse tunnel services, which handle all connections to the local server where it is hosted. In this method, the tunnel service resolves any incoming connections and forwards them to the local machine.
When victims interact with these phishing sites, their personal information is stored on the attacker’s computer.
The threat actor hides the URL’s name, which is often a string of random characters, by utilizing URL shortners, according to CloudSEK. As a result, a suspicious domain name is masked under a short URL.
Adversaries are disseminating these links through popular communication channels such as WhatsApp, Telegram, emails, text, and bogus social media pages, according to CloudSEK.
It’s important to note that the abuse of these services isn’t new. In February 2021, for example, Cyble produced evidence of Ngrok misuse. However, according to CloudSEK’s results, the situation is worsening.
Cases discovered
Impersonating YONO, a digital banking platform supplied by the State Bank of India, was one example of a phishing effort exploiting these services that CloudSEK discovered.
The attacker’s URL was disguised as “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi,” which used Cloudflare’s Argo tunneling service.
Bank account details, PAN card information, Aadhaar unique identification numbers, and mobile phone numbers were asked on this phishing page.
CloudSEK did not reveal the campaign’s effectiveness, but it did point out that threat actors rarely use the same domain name for more than 24 hours, however they do recycle the phishing page designs.
This sensitive information can be sold on the dark web or utilized to empty bank accounts by the attackers. If the information belongs to a corporation, the threat actor could use it to execute ransomware attacks or BEC fraud.
Users should avoid clicking on links obtained from unknown or dubious sources to protect themselves from this type of danger. To avoid being exposed to a bogus website, manually typing a bank’s domain name into the browser is a recommended way to proceed.
