Connect with us

Hi, what are you looking for?



Cybercriminals Use New Tricks in Phishing Attacks

Researchers have observed phishing attacks where cybercriminals used some new tricks to avoid raising suspicion and make their operations more efficient.

Researchers have observed phishing attacks where cybercriminals used some new tricks to avoid raising suspicion and make their operations more efficient.

An increasing number of cybercrime groups have come to realize that phishing attacks aimed at business executives can be highly profitable, but campaigns aimed at the masses can also be lucrative, which is why some malicious actors have been working on improving their methods.

Misconfigured temporary URLs

Earlier this month, Sucuri reported spotting an interesting technique used by attackers in phishing campaigns. Cybercriminals need to regularly change the domains that host their phishing pages to avoid getting blocked by security products and now they appear to have found a new way to obtain the domains they need.

According to researchers, attackers have been leveraging the fact that hosting providers, including some of the major ones, have failed to properly configure temporary URLs. These URLs, which look something like http://server-name/~username/, are offered to users in order to allow them to test their websites before linking them to their own domains.

When these temporary URLs are not configured properly, one user’s files can be accessed through any domain name on the same server. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other sites on that server.

If the temporary URLs are not set up properly, the phishing pages will be accessible from any of the neighboring domain names. For example, if the attacker uploads the phishing page to /~attacker/phishing on their own site, the page will also be accessible from,, etc.

Advertisement. Scroll to continue reading.

“As a result, one server account gives them hundreds of different domains for their malicious pages for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted,” Sucuri researcher Denis Sinegubko explained in a blog post.

The technique has been spotted in the wild and the security firm has observed instances where a legitimate website had been blacklisted because it was hosted on the same server as a malicious site.

Website owners can check if they are affected by trying to access their sites using their own domain name (e.g. If it works, the hosting provider has not configured temporary URLs properly.

Using JavaScript to silently steal credentials

A UK-based researcher who uses the online moniker dvk01uk reported coming across a PayPal phishing email that leveraged a clever technique to trick recipients into thinking that the details they provided were sent to the payment processor’s servers.

The email informed users of unusual charges on their account and instructed them to download an attached HTML form and provide the required information. Interestingly, the submit button in the form appeared to point to a legitimate PayPal domain.

A closer analysis revealed that the attackers had actually used JavaScript to intercept the submitted data and send it to the phisher’s server while redirecting victims to the legitimate PayPal website.

“The JavaScript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to and diverts them to the actual phishing page to accept all your details, while your browser still goes to the genuine PayPal page, if you are unwise enough to fall for this trick,” dvk01uk explained.

“This fools the majority of anti-phishing techniques and protections, including most toolbars, phishing filters and anti-viruses, who currently only look at the URL for the submit button and don’t examine the linked JavaScript files,” the researcher added.

The use of this technique could be even more efficient if deployed on an actual website with a legitimate-looking domain name instead of an HTML form attached to an email.

Related: Legitimate Facebook Domain Serves Phishing Page

Related: Partially Fixed eBay Flaw Exploited for Phishing, Scams

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.