Threat actors have found a new way to conduct phishing attacks by exploiting free tunnel service applications available on the web, which include localhost.run, to host their phishing content. Security researchers from iZOOlogic have detected the suspicious activity regarding the tunnel service exploitation and investigated the issue further.
Localhost.run is a free tunnel service that puts any locally run HTTP, HTTPS, or TLS applications towards the online world or the internet. As per the tunnel service’s website, localhost.run utilise Secure Shell (SSH) as a client; therefore, users do not need to download the service to operate.
Users are also given instructions on connecting an application to an internet domain by opening a specific command terminal and running it.
The ‘Forever Free Tier’ of localhost.run highlights their service of offering the tunnel for free to all users without requiring a download or an account sign-up. Nonetheless, limitations are still emphasised to users, including how domain names change in a couple to a few hours after creation; and a fixed speed limit to all user operations.
According to the tunnel service, these limitations are put in place to prohibit threat actors from conducting phishing campaigns using localhost.run, specifically on how they can easily leverage the free service by establishing phishing websites to host their campaigns.
These limitations, nonetheless, are not applied to the Custom Domain plan of localhost.run, which is offered for users who need a stable domain name that does not change after a few hours and need faster transfer rates.
Despite the limitations, threat actors have managed to infest and leverage the tunnel service for their phishing attacks and host phishing pages to victimise their targets.
Aside from localhost.run, our researchers have also previously detected similar malicious activity on another free tunnel application called Expose performed by phishing threat actors who exploit these services to host fraudulent websites. Expose is a free and open-source tunnel application written in PHP by the software firm Beyond Code that allows its users to connect their websites to the internet from their local computers.
Our experts from iZOOlogic strongly advise tunnel service users to password-protect their tunnel access to avoid being targeted by phishing threat actors. Also, being fully aware and knowledgeable of phishing scams can help people avoid being victimised and stop threat actors from benefiting from their crimes.
