What is URL phishing?

Skilfully created phishing emails are difficult to detect and convincing. Phishing URLs also resemble genuine versions. However, there are ways to cut phishing URL risks by spotting malicious links and filtering attack sites.

How does URL phishing work?

URLs (or "Uniform Resource Locators") are text-based web addresses that identify sites and provide a way to access them via standard web browsers. URLs provide convenient identifiers but can become threats if web addresses are deceptive.

URL phishing exploits this situation. Phishers create content to build trust and persuade recipients that criminals are genuine contacts. This content could be SMS messages, phone calls, social media interactions, or, most commonly, phishing emails.

Phishing emails contain embedded URLs that direct users to a fake website managed by the attacker. Fake sites typically resemble those of legitimate brands. For example, attackers may imitate a vendor the target company regularly uses.

Emails encourage readers to click the link, using urgent language or other appeals. When victims arrive at the site, criminals can entice them to download malware-infected files. They may also provide fake data entry forms for login credentials or financial information.

In sophisticated attacks, fake websites redirect victims to the legitimate site they assumed they were visiting. When this happens, targets probably don't know they are under attack and often unwittingly hand over personal information.

Types of URL phishing

The description above is a general outline of how URL phishing attacks work. However, there are several different URL phishing techniques. Companies need to understand how they operate when implementing effective prevention measures.

Common URL phishing methods include:

• Imitating trusted vendors/partners: In this URL phishing type, attackers take the persona of trusted partners. For example, their research may disclose regular contact between an IT maintenance provider and the victim. Attackers mimic the website of the trusted contact. Victims often click out of habit and mistake attack sites for the real thing.
• Law enforcement and regulators: Attackers may imitate official organizations and pretend to require urgent action. Examples include law enforcement bodies demanding action to avoid further action or tax authorities requesting verification of rebates and payments.
• Fake fraud notifications: URL phishing attacks send fake alerts about fraudulent transactions on the target's credit card or bank account. They advise victims to click links to change their passwords or confirm transactions.

Criminals also have several ways to engineer convincing web addresses. Common techniques to check for include:

• Typosquatting: Attackers make slight changes to the spelling or domain names. For example, "hotmaii.com" or "goggle.com".
• Homograph attacks: Attackers use different character sets to create almost identical domain names (for example, by exchanging a zero for an "O").
• Subdomain spoofing: Attackers add fake subdomains onto website names. An example could be "security.amazon-sales.com".
• URL shortening: URL phishing attacks use URL shortening services to hide complete domain names.
• Spoofed certificates: Attackers can create fake HTML padlocks and SSL certificates to boost trust. However, they usually obtain genuine, free TLS certificates, making the padlock icon an unreliable trust signal.
• URL redirects: Phishing emails display what look like authentic addresses, but redirect to a malicious website.
• Manipulating query strings: Parameters entered after the main URL redirect visitors to other sites.

How to identify URL phishing

Phishers constantly develop new techniques and tricks to deceive targets. However, potential victims can often identify URL phishing before clicking links or providing sensitive information.

Here are some ways to effectively identify URL phishing attacks:

• Focus on domain names: Display names can be deceptive. Instead, check domain names by hovering over a suspect link. Are there spelling errors? Look closely, as minor mistakes can be hard to spot. Check for unusual subdomains or query language in the link. Is this how the contact usually formats their links?
• Verify the sender address: Emails should provide a sender address. Check that the sender is a known contact, and the address matches one you have previously interacted with. If necessary, reply to the email asking for verification. Trusted sources will confirm that links are genuine and explain why they are needed.
• Check for HTTPS link formats: The "S" in HTTPS signifies that websites are encrypted. Avoid unencrypted sites without carefully verifying their legitimacy.
• Look for shortened links: Shortened links provide little information about a domain's legitimacy. Avoid clicking shortened links in emails, or use sandboxing tools to avoid accidentally opening a malicious website.
• Assess the email content: URL Phishing emails are usually not written by brand experts with flawless grammar. They regularly contain errors in style, spelling, grammar, and accuracy. Look for unusual mistakes before clicking embedded URLs.
• Note any data entry issues: Be cautious if you arrive at a login page after clicking an embedded link. Most importantly, check whether your login credentials auto-complete. If not, you may well have arrived at an attack site.

Examples of URL phishing

URL phishing is a common threat technique, with countless examples from cybersecurity history. Here are a few notorious cases that illustrate how criminals execute URL phishing attacks:

Fake Amazon Web Services portals

In 2020, security researchers exposed a URL phishing campaign that used emails to direct victims to fake Amazon Web Services pages. The fake pages looked almost identical to the AWS landing page, with a convincing entry field for user credentials.

Attackers sent AWS users a notification email informing them to visit their Amazon cloud. However, the fake site actually saved their details for criminal use. In this attack, threat actors routed emails through a French Virtual Private Network, making their phishing attempts much harder to trace.

FedEx delivery scams

FedEx scams routinely use branded emails to fool unsuspecting victims. Phishers tend to send fake notifications alerting customers to delivery problems. Customers click the embedded link to resolve issues, only to have their credentials stolen by a convincing but fake website.

Landing pages use several techniques to manipulate visitors. Attackers might ask customers to verify their identities, confirm shipping payments, or levy additional fees. These requests seem to be legitimate. Postage problems occur all the time. But familiarity generates complacency, leading victims to hand over personal information.

MailChimp phishing that fools security veterans

Tory Hunt's experience demonstrates that everyone is vulnerable to URL phishing attempts. Hunt owns the HaveIBeenPwned site, which tracks credential thefts and informs affected users. However, he had to email 16,000 site members after falling for a MailChimp URL phishing attack.

Attackers sent Hunt an email from the email services company with the header "Sending Privileged Restricted." Hunt followed a link to review his account and entered his credentials.

Hunt instantly realized something was wrong as the password field did not auto-complete as expected. But he was too late. Automated tools extracted site credentials in seconds before Hunt could lock his account.

How to protect against URL phishing

URL phishing is a simple attack with severe consequences. Individuals can suffer financial loss or identity theft, while organizations can lose control of their data in moments. Robust protective measures are essential. Measures should include technical security tools and employee training.

Use the checklist below to strengthen your network security and block potential URL phishing attacks:

Implement URL filtering

URL filtering protects against URL phishing by scanning website addresses and comparing them to threat intelligence databases. Security teams can set URL filters to automatically block known attack sites, putting them off limits to all network users.

URL filtering is more effective when integrated with email clients. Ensure that filters scan all incoming emails and quarantine suspicious messages for assessment by security experts.

Use DMARC to ensure secure email communication

URL phishers rely on reaching email inboxes without raising suspicion. Their task is simple if you leave inboxes unprotected. DMARC ("Domain-based Message Authentication, Reporting & Conformance") solves this problem by verifying the origins of email senders.

Block malicious downloads with Web Protection

NordLayer's Web Protection tools scan downloads for malware signatures before execution. Tools can also block downloads from sites logged on global threat databases, adding an extra layer of protection should users click malicious links.

Train network users to spot URL phishing attacks

Security controls are only a partial solution to URL phishing. Companies must also educate employees (and third-party network users) to spot suspicious links and report them promptly.

Create a separate training module for URL phishing, including sections on phishing techniques, how to analyze emails, and how to respond to phishing incidents. Revisit security policies and make sure they include information about URL reporting and only clicking links from trusted contacts.

How to report a phishing URL

URL phishing emails are a global issue. As a security community, knowledge of phishing incidents helps us respond more effectively and improve prevention tools. This surveillance system only works if you report phishing URLs when they are detected.

Reporting starts within your organization. Create simple processes for employees to report phishing links to security officers. However, internal reporting is not enough. Security teams should forward information to national and international phishing databases.

In the United States, CISA offers a streamlined portal to report phishing links. Other information-gathering portals include the Anti-Phishing Working Group and Google Safe Browsing.

Phishers are becoming more sophisticated, learning new ways to build and conceal fake websites. Stay ahead of cyber criminals by implementing URL phishing prevention measures, training staff, and reporting malicious links as quickly as possible.