Digital criminals used percentage-based URL encoding to help their phishing campaign evade detection by secure email gateways.
In mid-September, the Cofense Phishing Defense Center came across a phishing email that originated from a compromised email account for a recognizable American brand. The message informed recipients that they had a new invoice awaiting payment. Under that pretense, the email instructed recipients to click on an embedded “View Invoice” hyperlink button.
At first glance, the top-level domain for the hyperlink button appears to be google.lv, the home page for Google Latvia. It therefore doesn’t raise red flags with many perimeter security tools. But a closer look reveals that the hyperlink employs “hxxps://google.lv/url?q=,” which tells Google to query a specific URL or string. In this case, the string employs URL encoding by which it replaces ASCII characters with a “%” symbol followed by two hexadecimal digits.
Cofense explains that this technique helped the campaign further fool URL and domain checks by perimeter security solutions. As quoted in its research:
Most web browsers recognize URLs that contain hexadecimal character representations and will automatically decode them back into ASCII on the fly without any user interaction. When users click on the hyperlink within the email, they are redirected through their browsers to Google to query the encoded string. This is recognized as a URL to redirect the user to the final destination of the malicious payload.
That final destination was a phishing page designed to steal users’ Office 365 credentials.
This campaign highlights the ingenuity with which digital criminals craft increasingly more sophisticated phishing attacks. Acknowledging this trend, organizations have an incentive to educate their entire workforce about the dangers of phishing. They should do this by creating a security awareness training program that, among other things, uses simulation and training to familiarize all employees with some of the most common types of phishing attacks.