- Barracuda says Tycoon now offers new ways to hide malicious links in emails
- URL encoding, fake CAPTCHAs, domain splits, and other techniques were spotted in the wild
- The researchers urge businesses use a multi-layered approach to security
Tycoon, a popular phishing kit responsible for the majority of email-borne attacks these days, has apparently been updated with new techniques to help threat actors hide malware and malicious links in email messages.
Security researchers Barracuda released an in-depth report covering numerous new tactics being observed in the wild, including URL encoding, fake CAPTCHAs, Redundant Protocol Prefix technique, using the ‘@’ symbol, and subdomain split abuse.
With the URL encoding technique, the attackers would insert a series of invisible spaces into web addresses to push the malicious parts of the link out of sight of security scans, or add odd characters such as Unicode symbols.
Multi-layered defenses
“By using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat,” Barracuda explained.
Fake CAPTCHAs, on the other hand, make the website seem more legitimate while, at the same time, bypassing basic security checks.
The Redundant Protocol Prefix technique involves crafting a URL that is only partially hyperlinked, or that contains invalid elements (for example, two ‘https’, or no //). This hides the real destination of the link, while making the active parts seem legitimate. The @ symbol can be used in a web address to hide the malicious part of the URL.
Since everything before the ‘@’ is treated as ‘user info’ by browsers, attackers can put something trustworthy there, such as ‘office365’. The link’s actual destination – the malicious landing page – comes after the ‘@’.
Thy Tycoon kit is also capable of a benign/malicious split in subdomains. It now allows threat actors to create fake websites using names seemingly linked to well-known companies (for example ‘office365Scaffidips.azgcvhzauig.es).’ This could trick victims into thinking they’re dealing with a Microsoft subdomain, but the last part of the address is the actual, attacker-owned phishing site.
Phishing is getting more complex, more sophisticated, and thus – more difficult to detect – by the minute. Barracuda says the best defense is a multilayered approach with various levels of security that can spot, inspect, and block unusual or unexpected activity.
They also recommend AI-powered, or machine learning solutions, paired with regular employee awareness training.
