Commenst On Phishing Attacks Using Google’s URL Decoding

By   ISBuzz Team
Writer , Information Security Buzz | Sep 27, 2019 02:39 am PST

Threat actors are using Google’s URL decoding of non-ASCII URL data for URL encoding-enabled phishing attacks that hide the destination of malicious email links according to researchers, bypassing secure email gateways.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Laurence Pitt
Laurence Pitt , Global Security Strategy Director
September 27, 2019 6:35 pm

Phishing is a revenue generation engine, and since email gateways have become more aware of phishing content by using cloud intelligence, IP and website reputation (or even attachment scanning), it means that much of the phishing content is either rejected or pushed straight to SPAM/JUNK folders. So we had to expect that it would get more intelligent, in an attempt to evade perimeter security. This attack method is not new. It is similar to more basic attacks that surround a URL with HTTP codes to obfuscate it. It’s phishing content that’s hiding in plain sight and relying on users to see a jumble of letters so that they just click.

We will see gateways adapt to block this type of content, but until that’s commonplace, it’s imperative to educate users to watch for this. My advice is to never actually click a link in an email – simple as that. If you get an email asking to validate credentials, confirm an order or check a process then manually go to the website, manually login and perform the process that way. This may mean that you login to a site for no reason at all, but it also ensures that if it is a phishing attempt, you do not give away personal or business information.

Last edited 4 years ago by Laurence Pitt
Mounir Hahad
Mounir Hahad , Head
September 27, 2019 10:41 am

Email gateways have matured enough to perform dynamic content inspection: a URL in an email link is scanned at the time of receipt of the email, then rewritten to go through the email security provider’s cloud for yet another inspection when the user clicks on it. The problem with any active scanning of URLs in emails is that the security vendor cannot trigger any downstream action. If the resulting page asks for acceptance of usage terms, the security solution cannot click to accept for you and, therefore, it is blind to what page lies behind this gate. This phishing technique attempts to create such a gate using a Google standard redirect notification. I suspect this is safe enough for email security gateways to recognize and bypass very soon.

Last edited 4 years ago by Mounir Hahad

Recent Posts

Would love your thoughts, please comment.x