Corporate information security specialists usually know quite a few confident employees who say that they don\u2019t click on dangerous links and are therefore not susceptible to cyberthreats. Sometimes those employees use this argument when asking to have corporate security measures turned off, which somehow interfere with work. But attackers often disguise malicious and phishing links, trying to confuse both mail filters and human observers. What they want is to make victims (even if they are examining URLs as we repeatedly advise) click on an address that actually takes them to a different one. Here are the most common methods used by cybercriminals to hide malicious or phishing URLs.<\/p>\n
The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address \u2014 HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog\u2019s address disguised in this way:<\/p>\n
It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http:\/\/kaspersky.com\/blog\/<\/a>.<\/p>\n In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address \u2014 because it still remains in the URL. But there\u2019s a way to hide it completely \u2014 by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:<\/p>\n In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter \u2014 various marketing tools often insert all sorts of alphanumeric tags into web links.<\/p>\n Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link \u2014 and it\u2019s impossible to check what hides there without clicking.<\/p>\n Several years ago, Google and some partners created the Google AMP framework \u2014 a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed<\/a> that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with \u201cgoogle.com\/amp\/s\/\u201d, but if the user clicks it, they\u2019ll be redirected to a site that doesn\u2019t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google\u2019s reputation, they consider such a link to be sufficiently reliable.<\/p>\n Another way to hide your page behind someone else\u2019s URL is to use an \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ESP; that is, a service for creating legitimate newsletters and other mailouts. We\u2019ve already written in detail about this method in one of our previous posts<\/a>. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn\u2019t always work out.<\/p>\n The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn\u2019t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.<\/p>\n And by and large, we don\u2019t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).<\/p>\n No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server<\/a> level, and at the level of internet-enabled working devices<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":" Methods used by attackers to redirect victims to malicious and phishing sites from seemingly safe URLs.<\/p>\n","protected":false},"author":2598,"featured_media":32680,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3020,3021],"tags":[1278,1815,76,384],"class_list":{"0":"post-32679","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-browsers","11":"tag-e-mail","12":"tag-phishing","13":"tag-url"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/malicious-redirect-methods\/32679\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/malicious-redirect-methods\/26772\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/malicious-redirect-methods\/22186\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/malicious-redirect-methods\/29523\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/malicious-redirect-methods\/27040\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/malicious-redirect-methods\/36701\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/malicious-redirect-methods\/50045\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/malicious-redirect-methods\/27282\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/malicious-redirect-methods\/33056\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/e-mail\/","name":"e-mail"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/32679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=32679"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/32679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/32680"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=32679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=32679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=32679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Numbers instead of the IP address<\/h2>\n
URL shortener services<\/h2>\n
Google Accelerated Mobile Pages<\/h2>\n
Email service providers<\/h2>\n
Redirect via Baidu<\/h2>\n
Practical takeaways<\/h2>\n