Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Cybercriminals Use New Tricks in Phishing Attacks

Researchers have observed phishing attacks where cybercriminals used some new tricks to avoid raising suspicion and make their operations more efficient.

Researchers have observed phishing attacks where cybercriminals used some new tricks to avoid raising suspicion and make their operations more efficient.

An increasing number of cybercrime groups have come to realize that phishing attacks aimed at business executives can be highly profitable, but campaigns aimed at the masses can also be lucrative, which is why some malicious actors have been working on improving their methods.

Misconfigured temporary URLs

Earlier this month, Sucuri reported spotting an interesting technique used by attackers in phishing campaigns. Cybercriminals need to regularly change the domains that host their phishing pages to avoid getting blocked by security products and now they appear to have found a new way to obtain the domains they need.

According to researchers, attackers have been leveraging the fact that hosting providers, including some of the major ones, have failed to properly configure temporary URLs. These URLs, which look something like http://server-name/~username/, are offered to users in order to allow them to test their websites before linking them to their own domains.

When these temporary URLs are not configured properly, one user’s files can be accessed through any domain name on the same server. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other sites on that server.

If the temporary URLs are not set up properly, the phishing pages will be accessible from any of the neighboring domain names. For example, if the attacker uploads the phishing page to /~attacker/phishing on their own site, the page will also be accessible from neighbor-site1.xyz/~attacker/phishing, neighbor-site2.xyz/~attacker/phishing, etc.

“As a result, one server account gives them hundreds of different domains for their malicious pages for free. They can frequently change the domains without disclosing the real location of the malicious files and without having to move their files to different places when the domains get blacklisted,” Sucuri researcher Denis Sinegubko explained in a blog post.

Advertisement. Scroll to continue reading.

The technique has been spotted in the wild and the security firm has observed instances where a legitimate website had been blacklisted because it was hosted on the same server as a malicious site.

Website owners can check if they are affected by trying to access their sites using their own domain name (e.g. http://your-domain.com/~yourusername). If it works, the hosting provider has not configured temporary URLs properly.

Using JavaScript to silently steal credentials

A UK-based researcher who uses the online moniker dvk01uk reported coming across a PayPal phishing email that leveraged a clever technique to trick recipients into thinking that the details they provided were sent to the payment processor’s servers.

The email informed users of unusual charges on their account and instructed them to download an attached HTML form and provide the required information. Interestingly, the submit button in the form appeared to point to a legitimate PayPal domain.

A closer analysis revealed that the attackers had actually used JavaScript to intercept the submitted data and send it to the phisher’s server while redirecting victims to the legitimate PayPal website.

“The JavaScript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to PayPal.com and diverts them to the actual phishing page to accept all your details, while your browser still goes to the genuine PayPal page, if you are unwise enough to fall for this trick,” dvk01uk explained.

“This fools the majority of anti-phishing techniques and protections, including most toolbars, phishing filters and anti-viruses, who currently only look at the URL for the submit button and don’t examine the linked JavaScript files,” the researcher added.

The use of this technique could be even more efficient if deployed on an actual website with a legitimate-looking domain name instead of an HTML form attached to an email.

Related: Legitimate Facebook Domain Serves Phishing Page

Related: Partially Fixed eBay Flaw Exploited for Phishing, Scams

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.