Cybersecurity

Report: Phishers turn URL protection services against itself

A phishing attack using legitimate services is a “convincing” tactic, according to one Barracuda Networks researcher.
article cover

Brightstars/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

In a scary world of cyber-threats, even URLs just need to be held sometimes.

URL protection services are embedding a link into cozier, “wrapped” ones that send the link through a vendor’s security checks.

Threat researchers from the cybersecurity company Barracuda Networks, however, have observed threat actors using the URL protection mechanism to safeguard their own malicious links.

The use of legitimate services, according to Prebh Dev Singh, manager of product management at Barracuda, leads to convincing messages.

“It uses the reputation of the vendor/brand to obfuscate the phishing URL,” Singh explained in an email to IT Brew.

That’s a wrap! URL protection services, offered by email providers, place links into a new, rewritten one; the “wrap” routes the link through security services to check for signs of phishing, like malicious code or a known malicious site.

Attacks observed by Barracuda appear to use the service to hide an already malicious link. One likely scenario, according to a July 15 report: a threat actor, who has already compromised an endpoint, sends themselves an outbound message, using the service to disguise their own malicious URL, which the attacker can then use in phishing campaigns.

The attacks call to mind similar efforts from threat actors who send shortened URLs over text, email, and social media to obfuscate malicious destinations and redirect users to phishing sites or locations that serve up information-stealers.

IBM’s most recent “Cost of A Data Breach” study, which studied 553 organizations impacted by data breaches that occurred between March 2022 and March 2023, found that phishing led to 16% of breaches—and an average cost of $4.76 million. Financial loss factors included notification letters, regulatory fines, and post-breach response activities like help desk communications and product discounts;

An odd choice there. Count eSentire’s Joe Stewart, principal security researcher at the cybersecurity company, as someone a bit bewildered at the URL protection tactic. “Why would you intentionally submit your phishing URL to anti-phishing detection, before you’ve even gotten it across the desk of whoever you want to click on?” he wondered.

“It’s surprising to me that it works, because these URL protection services: you’ve got one job to do. And apparently the phishers have found out you’re not doing it right,” Stewart told IT Brew.

Regardless of the “odd” nature of the attack, Stewart said the threat calls to mind the importance of additional security measures like passkeys—digital credentials that match a device-bound private key with a domain. With the added control, a phishing site impersonating a real one will lack the required key for authentication, Stewart said.

In an email to IT Brew, Singh also recommended layering additional security tools, including AI-based email security services that use natural-language processing to spot phishy emails.

The Barracuda report observed attacks against “three different URL protection services” since mid-May 2024. The company did not name the specific vendors of the protected links.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.