Home > Cyber News > Phishing Kit Uses Novel URI Fragmentation Technique in Pre-Holiday Campaigns

Phishing Kit Uses Novel URI Fragmentation Technique in Pre-Holiday Campaigns

Phishing Kit Uses Novel URI Fragmentation Technique in Pre-Holiday Campaigns

Phishing continues to be a highly dangerous online threat, as threat actors are persistent in improving their methods. One of the latest successful phishing campaigns was recently detected by Akamai Security Research. The team “has observed a new and highly sophisticated phishing kit” that imitates a number of popular retail brands ahead of the holiday season.

The high successful rates of the phishing kit are due to a mixture of evasion techniques and social engineering tricks. One of the notable aspects of the kit is a token-based system that confirms each victim is redirected to a unique phishing URL. In addition, the threat actor uses URL shorteners, fake user profiles and testimonials, and even a CDN to achieve infrastructure resilience.

Fake Customers and User Testimonials

The researchers performed a detailed analysis of the fake customer profiles. One particular fake user, Natalie Hamilton, was recycled with slight modifications across the various scam templates. The prize review comments were also customized, appearing legitimate at first glance. What gave the scam away is the strong similarity of the comments across the prize offerings, which would still go unnoticed by an average online user.

URI Fragmentation

URI fragmentation is another interesting feature of the kit, and a novel evasion technique. What is it all about?

“The URL fragment identifier is a hash mark (#), also known as HTML anchor, in the URI link that points a browser to a specific spot in a page or website. This is a technique commonly used in tables of contents or other categorization lists for a better user experience. The values being after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, yet this value will be accessible by JavaScript code running on the victim’s browser. In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not. This value will also be missed if viewed by a traffic inspection tool,” the researchers explained.

What’s the researchers’ conclusion? This phishing kit proves why phishing scams continue to be so successful. Threat actors are well acquainted with mitigation, social engineering, and various tactics that make detection almost impossible. “This blog post is not a dig at any security product or vendor’s efficacy — instead it showcases how even multiple layers of defense can be eroded to achieve a malicious purpose,” the team concluded.

Another example of a successful phishing-as-a-service kit was detected in September. Called EvilProxy, the platform is specialized in reverse proxy phishing campaigns aiming to circumvent MFA [multi-factor authentication] mechanisms.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree