Getty Images

Pharma Key Target of New Phishing Campaign Using Malformed URLs

Pharma, lending, and construction companies are being highly targeted with a new phishing campaign technique that leverages malformed URL protocols to evade detection.

Threat actors are bypassing traditional URL security defenses with malformed URL protocols to attack end users, according to new data from GreatHorn Threat Intelligence Team. Pharmaceutical companies are among the most targeted with this new phishing tactic.

URL components are broken into five parts: the HTTP, FTP, mailto, or git protocols that tell the web client how to access the resource; the primary domain host or location; a number used when another port is desired outside the default; the path (optional); and the query string.

Hackers understand these requirements and are taking advantage of the schematic to better trick users into interacting with malicious emails.

First observed in October 2020, the tactic doesn’t involve changing URL letters or any part of the URL, at all. Researchers explained that hackers are modifying the symbols used in the prefix ahead of the URL, such as changing http:// to http:/\ in the URL prefix.

“Because the colon and two forward slashes have always been used in the standard URL format, most browsers automatically ignore this factor, using the scheme and subsequent components to take a user to the final destination," researchers explained.

“Attackers are able to get around many email scanners using these malformed URL prefixes between the scheme and host,” they added. “The URLs don’t fit the ‘known bad’ profiles developed by simple email scanning programs, allowing them to slip through undetected.”

The method may also make the malicious emails appear legitimate to users who are unaccustomed to looking at the URL prefix for suspicious activity.

The attack has rapidly gained traction in 2021, with the volume of these attacks increasing by 5,933 percent between the first week of January and early February. The phishing attempts have been detected across a range of entities, but pharma, lending, and construction organizations are being targeted at a higher rate than others.

Entities using Office 365 for their cloud email environment are also being targeted at a higher rate than those leveraging Google Workspace.

The method is being used in several email formats, including one using a spoofed domain name. The attacker impersonates the targeted enterprise’s internal mail system by modifying the display name.

The phishing attempt can avoid “known bad” scanners through the use of email addresses and domains that don’t have a previous relationship between the sending address and the recipient or organization, as “scanners have yet to establish a reputation for the sender or domain.”

The email message contains a suspicious link with an open redirector domain, while the subject line or message will project a sense of importance.

“This specific phishing attempt impersonates a voicemail service, informing the recipient that they have a voice message. It emulates the appearance and behavior of many email platforms that use cloud-based voicemail services,” researchers explained.

“The message contains a text-embedded link (Play Audio Date.wav) that redirects to a malicious website,” they added. “The website even includes a reCAPTCHA, a common security feature of legitimate websites, showing the sophistication and subtlety of the attempted attack.”

The user is then brought to a landing page that is nearly identical to a Microsoft Office login page. If the individual inputs their credentials, they’re handing them over to attackers.

A successful exploit would also enable the hackers to access the victim’s email contacts and other sensitive information, like cloud storage. GreatHorn stressed that it’s important that enterprise administrators or security leaders scan enterprise email accounts for malformed URLs and remove those messages from the platform.

Given the heightened targeting of healthcare and pharmaceutical companies amid the COVID-19 vaccine rollout, these entities should review their phishing protocols and email monitoring tools to ensure they can adequately protect those endpoints from compromise.

Europol previously provided thorough spear-phishing insights and a guide to recommended tech, which can help bolster policies and procedures for this high-risk vulnerability.

Next Steps

Dig Deeper on Cybersecurity strategies