New techniques have been developed within the Tycoon phishing kit to hide malicious links in email attacks, researchers from Barracuda have warned.
The use of URL encoding, among other new techniques, are designed to better obscure, muddle and disrupt the structure of malicious links.
“This is intended to confuse automated detection systems and ensure the links aren’t blocked,” the researchers noted.
Tycoon’s evolution comes in response to improved capabilities of email security tools to detect and block dangerous links, Barracuda added in the report, published on September 3.
“Attackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails. They use tricks with spaces, symbols and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people – and traditional security software – to tell if they are being lured to a risky website,” the researchers commented.
Tycoon is a Phishing-as-a-Service (PhaaS) platform available for cybercriminals to hire on the dark web. It offers advanced capabilities, including tools to bypass detection and multi-factor authentication (MFA).
Read now: Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures
New Link Obfuscation Capabilities
URL Encoding
The Barracuda researchers observed new URL encoding techniques in phishing emails masquerading as voicemail messages from a trusted accounting service.
The URL encoding used in the fake voicemail link inserted a series of invisible spaces into the web address, using the code ‘%20’. This is designed to push the malicious part of the link out of sight of security scans.
It also added odd characters, including a Unicode symbol that looks like a dot but isn’t one.
Additionally, a hidden email address or special code was observed being included at the end of the web address.
“By using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat,” the researchers wrote.
The Tycoon attacks also include a fake CAPTCHA verification stage before redirecting the victim to the attacker-controlled website. This is designed to make the website appear more legitimate and bypass basic security checks.
Redundant Protocol Prefix Technique
Tycoon phishing attacks also utilized the Redundant Protocol Prefix technique, which involves crafting a URL that is only partially hyperlinked or contains invalid elements.
Examples include ‘https’ or no ‘//’ in the link.
This approach aims to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls.
Another approach is using the ‘@’ symbol in a web address. This is because everything before the ‘@’ is treated as ‘user info’ by browsers, therefore the attackers put something that looks reputable and trustworthy in this part, such as ‘office365’.
The link’s actual destination comes after the ‘@’ symbol.
Subdomain Abuse
Another approach used to obfuscate malicious links in Tycoon attacks again involved a benign/malicious split, this time for subdomains.
The attackers created fake websites using names seemingly linked to well-known companies, such as ‘office365Scaffidips.azgcvhzauig.es.’
This makes the user think it is dealing with a Microsoft subdomain, but the last part of the web address is an attacker-owned phishing site.