Security Experts:

Cybercriminals Use New Tricks in Phishing Attacks

Researchers have observed phishing attacks where cybercriminals used some new tricks to avoid raising suspicion and make their operations more efficient.

An increasing number of cybercrime groups have come to realize that phishing attacks aimed at business executives can be highly profitable, but campaigns aimed at the masses can also be lucrative, which is why some malicious actors have been working on improving their methods.

Misconfigured temporary URLs

Earlier this month, Sucuri reported spotting an interesting technique used by attackers in phishing campaigns. Cybercriminals need to regularly change the domains that host their phishing pages to avoid getting blocked by security products and now they appear to have found a new way to obtain the domains they need.

According to researchers, attackers have been leveraging the fact that hosting providers, including some of the major ones, have failed to properly configure temporary URLs. These URLs, which look something like http://server-name/~username/, are offered to users in order to allow them to test their websites before linking them to their own domains.

When these temporary URLs are not configured properly, one user’s files can be accessed through any domain name on the same server. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other sites on that server.

If the temporary URLs are not set up properly, the phishing pages will be accessible from any of the neighboring domain names. For example, if the attacker uploads the phishing page to /~attacker/phishing on their own site, the page will also be accessible from,, etc.

“As a result, one server account gives them hundreds of different domains for their malicious pages for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted,” Sucuri researcher Denis Sinegubko explained in a blog post.

The technique has been spotted in the wild and the security firm has observed instances where a legitimate website had been blacklisted because it was hosted on the same server as a malicious site.

Website owners can check if they are affected by trying to access their sites using their own domain name (e.g. If it works, the hosting provider has not configured temporary URLs properly.

Using JavaScript to silently steal credentials

A UK-based researcher who uses the online moniker dvk01uk reported coming across a PayPal phishing email that leveraged a clever technique to trick recipients into thinking that the details they provided were sent to the payment processor’s servers.

The email informed users of unusual charges on their account and instructed them to download an attached HTML form and provide the required information. Interestingly, the submit button in the form appeared to point to a legitimate PayPal domain.

A closer analysis revealed that the attackers had actually used JavaScript to intercept the submitted data and send it to the phisher’s server while redirecting victims to the legitimate PayPal website.

“The JavaScript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to and diverts them to the actual phishing page to accept all your details, while your browser still goes to the genuine PayPal page, if you are unwise enough to fall for this trick,” dvk01uk explained.

“This fools the majority of anti-phishing techniques and protections, including most toolbars, phishing filters and anti-viruses, who currently only look at the URL for the submit button and don’t examine the linked JavaScript files,” the researcher added.

The use of this technique could be even more efficient if deployed on an actual website with a legitimate-looking domain name instead of an HTML form attached to an email.

Related: Legitimate Facebook Domain Serves Phishing Page

Related: Partially Fixed eBay Flaw Exploited for Phishing, Scams

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.