Security researchers have discovered a new tactic used by phishing gangs to conceal the URLs of fake websites from even the more savvy of victims.
Dubbed URL padding, cyber-criminals rely on the smaller sized address bars on mobile devices that stop users seeing the whole address. The user interface is abused by crooks to pad fake URLs with hyphens so it become very difficult to identify a phishing site by its web address.
In a blog post, Crane Hassold, senior security threat researcher at Phish Labs, said that the highest proportion of attacks are aimed at Facebook users. For example, he said he had witnessed one such
example: “hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html”.
(http was replaced with hxxp for security reasons)
(The phishing site is now offline)
“Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain in this case is rickytaylk.com.”. To explain it a little further, the entire url is the registered domain. Unfortunately this technique works with free hosting as majority of free hosting has their extension at the end of the url (Although don't expect any free domains to be available as these campaigns normally aquire as many domains as possible)
Hassold said that while this doesn't look convincing on a desktop computer, when loaded into the smaller window of a mobile browser, it doesn't look as obvious.
“In fact, with the phishing site setup as an almost perfect replica of Facebook's genuine mobile login page, and the clever addition of the Facebook favicon in the address bar, this site looks remarkably genuine,” he said.
There were other examples he spotted deployed against users of Comcast, Craigslist, Offer Up and iCloud.
Hassold said that this style of phishing attack is very effective as users can't hover over links on mobile devices.
TIPS
- When in doubt, don't check it out
- Search for it manually on google
- If prompted for a login, it's likely a phish