It's not big and it's not clever
It's not big and it's not clever

Security researchers have discovered a new tactic used by phishing gangs to conceal the URLs of fake websites from even the more savvy of victims.

Dubbed URL padding, cyber-criminals rely on the smaller sized address bars on mobile devices that stop users seeing the whole address. The user interface is abuse by crooks to pad out fake URLs with hyphens so it become very difficult to identify a phishing site by its web address.

In a blog post, Crane Hassold, senior security threat researcher at Phish Labs, said that the highest proportion of attacks are aimed at Facebook users. For example, he said he had witnessed one such example: “hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html”.

“Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain in this case is rickytaylk.com.” he said.

Hassold said that while this doesn't look convincing on a desktop computer, when loaded into the smaller window of a mobile browser, it doesn't look as obvious.

“In fact, with the phishing site setup as an almost perfect replica of Facebook's genuine mobile login page, and the clever addition of the Facebook favicon in the address bar, this site looks remarkably genuine,” he said.

There were other examples he spotted deployed against users of Comcast, Craigslist, Offer Up and iCloud.

Hassold said that this style of phishing attack is very effective as users can't hover over links on mobile devices and so determining whether or not a link is safe – or at the very least, it is much more difficult.

“Until you visit the site, you have no way of knowing whether it's legitimate. And, as we've already seen, once you're there the URL padding approach is highly effective at obscuring the site's real domain,” he added.

There's very little inherent value in cracking a Facebook account as there is no monetary reward for doing so, but Hassold said that the main reason for targeting these particular websites is password reuse.

“Most people use the same email and password combination for almost all of their accounts, so stealing a single set of credentials can actually be highly profitable,” he said. So, cracking a Facebook account might reveal the credentials for other accounts belonging to the user which can be financially exploited.

The other motivation is the domino effect: cracking a Facebook account gives you trusted status when communicating with hundreds of other users.

“Instead of trying to profit directly, we believe threat actors are looking to use individuals' Facebook accounts to send out even more phishing lures via status updates or private messages. And as we've already noted, most people have been conditioned to check mobile notifications immediately, making this a highly effective tactic.”

This new flavour of attack only reinforces the existing advice to users: stop and think before clicking that link.

Javvad Malik, security advocate at AlienVault, told SC Media UK that mobile phones are responsible for an increasing amount of web traffic, so it is not surprising that phishers are going after mobiles.

“While the padding attack is a viable method, if criminals see success, there is no reason not to believe that increasingly sophisticated phishing attacks will be developed for mobile devices,” he said.

“Being mobile, it is more difficult to deploy endpoint protection. So user awareness and education is key. Enterprises should also look at what options they have available, such as use of MDM products that can isolate corporate data. They should also look to monitor inbound traffic from mobile devices to pick up any anomalous activity, such as a spike in data being downloaded.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC that similar phishing techniques have existed for many years already. 

“Now, we just see an exploitation vector targeting mobile users in particular. I doubt that these phishing campaigns will be remarkably successful or efficient,” he said.

“On iPhone's Safari for example, such domains will likely never be highlighted in green in the location bar (EV certificate), alerting users that something is definitely wrong. Those people who don't notice this difference would probably click on or install anything that you provide them with, so I don't see any emerging or conceptually-new danger coming from URL padding.”