Tycoon phishing kit uses sneaky new techniques to hide malicious links

Phishing emails often feature malicious links (URLs) that lead victims to fake websites
where they are infected with harmful software or tricked into giving away personal
information.

There’s a constant battle between security tools getting better at identifying bad links and attackers trying to hide them more effectively. Barracuda has uncovered some of the latest approaches its researchers are seeing in attacks involving the advanced phishing-as-a-service (PhaaS) kit, Tycoon.

The analysts have found Tycoon using URL encoding techniques to hide malicious links in attacks leveraging a trusted accounting service. These include inserting a series of invisible spaces into the web address (using the code ‘%20’) to push the malicious part of the link out of sight of security scans, adding odd characters, like a ‘Unicode’ symbol that looks just like a dot but isn’t one, and inserting a hidden email address or special code at the end of the web address.

By using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat.

Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365’. The link’s actual destination comes after the ‘@’.

You can find out more on the Barracuda blog.

Image credit: thodonal/depositphotos.com