logo
TitanHQ

How to Spot and Combat Rogue URLs

Posted by Trevagh Stankard on Thu, Dec 9th, 2021

Cybercriminals are resourceful and expert tricksters. They are adept at understanding human behavior and will stop at nothing to manipulate people into performing dangerous actions. To initiate a cyberattack, cybercriminals use social engineering and other tricks; therefore, stopping the attack before the fraudster has a chance to manipulate an employee, is an ideal place to prevent data breaches and other IT system attacks.

One of the most common tricks in the cybercriminal’s armory is the “rogue URL”. Cybercriminals manipulate this web standard, aka a URL, to redirect traffic to a malicious web resource that will lead to malware download and other malicious actions.

What Does A Rogue URL Look Like?

A rogue URL looks just like a legitimate URL. However, fraudsters use several tricks to hide the malicious nature of the URL link. Some of the tactics used to turn a URL rogue include:

HTTPS As a False Sense of Security

Google decided that all websites should use a digital certificate along with the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol to provide secure communications between browser and site; this has been enforced in Chrome version 62. This may seem like a way to circumvent rogue URLs, but it is not. The Anti-Phishing Working Group (APWG) found that as of Q2 2021, 82% of phishing sites were secured using an SSL certificate identified by HTTPS rather than an HTTP in the URL.

This attempt to ‘secure the web’ has created a false sense of security and it is this that cybercriminals are taking advantage of when they create rogue URLs. Cybercriminals rely on users observing the padlock or HTTPS and then believing the site is secure.

IP Address and URL Encoding

To hide a malicious domain address, fraudsters may replace the text with an IP address and special characters. One technique that generates an obfuscated rogue URL is based on an URL Encoder. This is a method that uses percentage-based URL coding, accepted by Google. These URL encoders turn normal ASCII characters into strings that begin with a %.

This rogue URL method can trick static email protection gateways as it hides a known malicious URL address. A recent email phishing campaign used this tactic to trick users into clicking a rogue URL. The campaign relied on part of the URL looking legitimate with the payload redirection part of the URL being encoded so as not to alert the user.

An example of how this URL obfuscation might look is this:

https://google.ir/l/%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%6D%61%6C%69%63%69%6F%75%73%66%69%6C%65%2E%65%78%65

The above URL may decode to a malicious URL such as:

“example.com/maliciousfile.exe”

The browser is designed to decode this encoded URL and then redirect the browser to the malicious web server.

Long URLs

Very long URLs are a clever way of tricking, even security-savvy users, into clicking a link. The fraudsters know that many people open emails on a mobile device and those mobile devices make it difficult to open long URLs to allow inspection. Consequently, most users will not go through the steps to look at the full length of a URL in an email opened using a mobile device, instead just clicking on the link and initiating the phishing event.

Brand Spoofing

Finally, a common but less effective technique than long URLs or URL encoding is brand spoofed URLs. Fraudsters fake the look of commonly known brands to create phishing emails and add to the email, malicious phishing URLs that look legitimate. For example:

https://www.micros0ft.com/default

A user may not notice the replacement of the letter o with the number 0.

Read: 6 Types of DNS Attacks and why you need to secure the DNS Layer

Best Ways to Stop the Problem of Rogue URLs

With these rogue URL tricks in mind, here is a look at the best security measures to defend your organization against them.

Brand Spoofing and HTTPS

Cybercriminals are great at using well-known brands to trick users into feeling they can trust an email. The latest research from Checkpoint shows that brands such as Microsoft, Amazon, Dropbox, and Google, are the brands most commonly used to trick users into clicking a malicious URL.

Similarly, the use of HTTPS which is a sign of trust on the internet is used by cybercriminals to trick users into trusting a spoof website.

Security awareness training can help to educate users about the use of tricks such as brand spoofing and mitigate against attacks. However, this is not a fool-proof method as fraudsters become ever more cunning, making phishing emails more difficult to differentiate from real emails.

Relying on security awareness training also adds overhead into the productive working day of employees. A better method to prevent phishing messages containing rogue URLs entering an employee’s inbox is to remove them at the source using a DNS-based content filter.

DNS-based filters stop an attack before any content is downloaded. DNS filters that are AI-driven and that are designed to be used as agents on mobile devices, ensure that even remote employees using mobile devices are protected. 

IP Address and URL Encoding

Cybercriminals work hard to evade detection by security tools. Anti-virus software is one such tool that has been made less effective by clever techniques used in modern malware designed to evade detection by traditional anti-malware tools.

A DNS-based content filter is smart enough to detect and prevent these types of encoded URL attacks.

A DNS content filter uses the fact that encoding a URL does not change the DNS query performed when a browser processes a URL; in other words, an obfuscated URL does not evade detection by a DNS-based content filter.

3 Tips to Help MSPs Make Money using DNS

Long URLs

One 2019 phishing campaign used a 1000-character long URL to dupe users into clicking on a malicious link. These very long URLs are used alongside other phishing tactics, such as brand spoofing and social engineering, to trick even security-trained users.

Long URLs are no match for intelligent, AI-driven content filtering solutions that decode a long URL, preventing an employee from opening the associated malicious website. TitanHQ’s DNS-based filter uses a mix of blacklists of known malicious websites, crowdsourced data from over 650 million customers, and data from 700 million URLs, crawled each day to deliver 360-degree protection.

Cybercriminals will continue to attempt to evade the cybersecurity measures that an enterprise puts in place. To do so, fraudsters will use any tactic or combination of tactics to trick users, including using rogue URLs in their many forms. DNS-based filter protection should be used as part of a general layered approach to security to ensure that an organization is fully-protected, even when cybercriminals up their game and change tactics.

WebTitan is an advanced DNS security solution providing protection from cyber security threats as well as advanced DNS filtering controls to organisations and MSPs globally. Start 14-day free trial.

WebTitan

Never Miss a Blog Post

Sign-up for email updates...

Get Your 30 Day FREE Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us