Cybersecurity

5289 readers

68 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago

MODERATORS

kid

[email protected]

Attackers Exploit URL Protections to Disguise Phishing Links (www.infosecurity-magazine.com)

submitted 1 month ago by kid to c/cybersecurity

1 comments fedilink hide all child comments

top 1 comments

sorted by: hot top controversial new old

[–] [email protected] 7 points 1 month ago

URL protection services are designed to protect users from visiting malicious websites via a phishing link. Whenever a URL is included in an email, the service will copy it, rewrite it, then embed the original URL within the rewritten one.

If the email recipient clicks on this “wrapped” link, an email security scan of the original URL is triggered. If the scan is clear, the user is redirected to the URL. If not, they are blocked from entering the original URL.

How URL Protection Services Are Exploited

In these novel attacks, threat actors gain entry to the URL protection service via compromised accounts, and leverage it to re-write their own phishing URLs, thereby concealing their malicious nature – essentially turning the service on itself.

This enables them to impersonate the account owners and infiltrate and examine their email communications as well as sending emails from the compromised account. This tactic is known as conversation hijacking.

In addition, threat actors will be able to determine whether a URL protection service is being used by analyzing links in emails connected to the account or in the user’s email signature.

To leverage the URL protection to rewrite their own phishing URLs, the researchers noted the attackers would either need to have access to internal systems to get the phishing URL rewritten, which is “exceedingly rare,” or more likely, send an outbound email to themselves using the compromised accounts, with the phishing link included in the message.