Researchers are detecting an increase in the usage of reverse tunnel services, as well as URL shorteners, for large-scale phishing operations, leaving malicious activity more difficult to detect.
This strategy differs from the more typical practise of registering domains with hosting providers, who are more inclined to answer complaints and remove phishing sites.
Threat actors can use reverse tunnels to host phishing websites locally on their own computers and route connections through an external service. They can evade detection by using a URL shortening service to produce new links as frequently as they desire.
Many phishing URLs are renewed in less than 24 hours, making tracing and eliminating the domains more complex.
CloudSEK, a digital risk prevention company, has seen a rise in the number of phishing efforts that combine reverse tunnelling and URL shortening services. According to a report shared with BleepingComputer by the business, researchers discovered more than 500 sites hosted and disseminated in this manner.
CloudSEK discovered that the most extensively misused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare's Argo. They also saw an increase in the use of URL shortening services such as Bit.ly, is.gd, and cutt.ly.
Reverse tunnel services protect the phishing site by managing all connections to the local server where it is housed. The tunnel service resolves any incoming connections and forwards them to the local computer.
Victims who interact with these phishing sites have their personal data saved directly on the attacker's computer.
Thus according to CloudSEK, the threat actor conceals the name of the URL, which is often a string of random characters, by utilising URL shorteners.
As a result, a suspicious domain name is masked under a short URL.
Opponents, according to CloudSEK, are disseminating these links using popular communication channels such as WhatsApp, Telegram, emails, SMS, or bogus social media pages. It is important to note that the abuse of these services is not new.
In February 2021, for example, Cyble produced proof of Ngrok misuse. However, according to CloudSEK's results, the situation is worsening.
CloudSEK discovered one phishing campaign that impersonated YONO, a digital banking platform provided by the State Bank of India.
The attacker's URL was masked under "cutt[.]ly/UdbpGhs" and directed to the site "ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi," which made advantage of Cloudflare's Argo tunnelling service.
This phishing page asked for bank account information, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. CloudSEK did not disclose the effectiveness of this operation, but it did point out that threat actors seldom use the same domain name for more than 24 hours, however, they do recycle the phishing page designs.
"Even if a URL is reported or blocked, threat actors can easily host another page, using the same template" - CloudSEK
This sensitive information may be sold on the dark web or utilised by attackers to deplete bank accounts. If the information comes from a business, the threat actor might use it to execute ransomware attacks or business email compromise (BEC) fraud.
Users should avoid clicking on links obtained from unknown or dubious sources to protect themselves from this sort of danger. Manually typing a bank's domain name into the browser is an excellent way to avoid being exposed to a bogus website.