Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Here’s a hot take (don’t @ us).
A May report from cybersecurity firm and Google subsidiary Mandiant reminded defenders to keep a closer eye on URLs, specifically on @ symbols that can manipulate standard internet schema and disguise a malicious destination.
“Network defenders should check if URLs abusing the schema to obfuscate the destination cause any failures in logging, visibility, or security tooling,” read the post.
How the schema scheme works. The standard web-address style actually begins with an optional user and password, according to Common Internet Scheme Syntax found in standard RFC 1738, which the Mandiant report also pointed to:
<scheme>//<user>:<password>@<host>:<port>/<url-path>
“When a browser interprets a URL with the username section populated (anything before the "@” sign), it discards it, and sends the request to the server following the "@” sign,” wrote Mandiant researcher Nick Simonian.
In other words: anything before the @ doesn’t mean anything—to the browser, at least.
Placing familiar text into the user and password sections can trick users into going to a malicious site.
Take a URL like “hxxp://google.com@1157586937,” where the numbers represent the server IP address.
When phishing advice often boils down to “watch for suspicious links,” destinations that at least say Google might get users clicking.
The “google” example above, observed in a late 2022 tweet from Ankit Anubhav, led not to malware but what some may consider even worse: a Rick Roll.
Sq-URL-lllyyyyy. There are many ways to disguise a URL, including shorteners, lookalikes, and redirects.
A “Blank Image” attack, found in early 2023, used phony contracts and an HTML file with redirecting Javascript code.
Some combination of password managers, multifactor authentication, and endpoint security products can prevent any credential giveaways caused by URL obfuscation.
Spotting the schema. According to the Mandiant post, VirusTotal shows the schema usage-and-abusage dating back to at least February 2022.
The URL’s manipulation often avoids detection and causes extraction errors in logging or security tooling.
“If a network defense tool is relying on knowing the server a URL is pointing to (e.g. checking if a domain is on a threat intel feed), it could potentially bypass it and cause gaps in visibility and coverage,” read the report.
Mandiant recommends using file-based malware analysis tools like YARA (and the YARA rules shared in the report) to find instances of URL obfuscation. Logs will also show the attempt when a program executes certain actions, like a Powershell module that points to an obfuscated URL.
“Defenders need to ensure security tooling and logging systems are able to detect, identify, and parse the correct indicators to ensure defenses aren’t bypassed by using a format that isn’t RFC-compliant,” the report read.