A surge of use in reverse tunnels and URL shorteners has recently been detected for wide-scale phishing campaigns, thus allowing threat actors to be stealthier in their attacks. Experts say that the recently detected malicious activity is unusual method attackers use for their phishing sites to avoid being taken down.
The reverse tunnel services aid cybercriminals in hosting phishing pages locally using their computers and route connections via the external service. Meanwhile, they can generate new URLs via the URL shortening services as many times as needed to evade security detection.
These threat actors refresh their phishing links about once a day, making it more difficult for security analysts to track and take down malicious domains. Furthermore, over 500 websites had been detected to be hosted and distributed through reverse tunnels and URL shorteners, which identifies an increased rate of phishing campaigns leveraging the services.
According to security experts, Ngrok, Argo, and LocalhostRun are three of the most widely abused reverse tunnel services; while bit[.]ly, cutt[.]ly, and is[.]gd are the URL shortening platforms cybercriminals commonly use in their phishing campaigns.
Using reverse tunnel services is vital for the threat actors since it shields the malicious site by managing all traffic and connections to the local server that it is being hosted on. The tunnel service will resolve all incoming connections and be forwarded to the local computer that the attackers use. If victims have unmindfully shared their information or credentials on the phishing sites, it will be directly stored on the attacker’s local computer.
On the other hand, the URL shorteners hide the malicious sites’ links since they will be transformed into a random string of letters and numerical characters that are usually hard to detect as malicious. These links are distributed on well-known platforms, including Telegram, WhatsApp, emails, or SMS.
Nonetheless, the cybersecurity landscape is not new to the incident of phishing campaigns abusing the two services. For instance, the digital banking platform of the State Bank of India had been previously impersonated for such malicious campaigns to steal users’ credentials.
Experts have also warned that even if the malicious shortened URLs had been flagged or blocked, a new site could easily be hosted once again using similar templates. The victims’ stolen data would either be sold on the dark web marketplaces or be used by the hackers for other fraudulent activities.
It is crucial to remember not to click on any suspicious links sent by unfamiliar sources because there is a high chance it would be for phishing campaigns. Being mindful of your online behaviour is the key to avoiding being victimised by cybercriminals.
