Phishing has long been a major attack vector on corporate networks. It’s no surprise, then, that everyone and everything, from e-mail providers to mail gateways and even browsers, use antiphishing filters and malicious address scanners. Therefore, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.
What is delayed phishing?
Delayed phishing is an attempt to lure a victim to a malicious or fake site using a technique known as Post-Delivery Weaponized URL. As the name suggests, the technique essentially replaces online content with a malicious version after the delivery of an e-mail linking to it. In other words, the potential victim receives an e-mail with a link that points either nowhere or to a legitimate resource that may already be compromised but that at that point has no malicious content. As a result, the message sails through any filters. The protection algorithms find the URL in the text, scan the linked site, see nothing dangerous there, and allow the message through.
At some point after delivery (always after the message is delivered, and ideally before it is read), the cybercriminals change the site to which the message links or activate malicious content on a previously harmless page. The ruse could be anything — from an imitated banking site to a browser exploit that attempts to drop malware on the victim’s computer. But in about 80% of cases, it’s a phishing site.
How does it fool antiphishing algorithms?
Cybercriminals use one of three means to get their messages past filters.
- Use of a simple link. In this type of attack, the perpetrators control the target site, which they either created from scratch or hacked and hijacked. Cybercriminals prefer the latter, which tend to have a positive reputation, something security algorithms like. At the time of delivery, the link leads to either a meaningless stub or (more commonly) a page with an error 404 message.
- The short-link switcheroo. Plenty of online tools enable anyone to turn a long URL into a short one. Short links make life easier for users; in effect, a short, easy-to-remember link expands into a large one. In other words, it triggers a simple redirect. With some services, you can change content hidden behind a short link, a loophole attackers exploit. At the time of message delivery, the URL points to a legitimate site, but after a while they change it to a malicious one.
- Including a randomized and short link. Some link-shortening tools allow probabilistic redirection. That is, the link has a 50% chance of leading to google.com and a 50% chance of opening a phishing site. The possibility of landing on a legitimate site apparently can confuse crawlers (programs for automatic information collection).
When do the links become malicious?
Attackers usually operate on the assumption that their victim is a normal worker who sleeps at night. Therefore, delayed phishing messages are sent after midnight (in the victim’s time zone), and become malicious a few hours later, closer to dawn. Looking at the statistics of antiphishing triggers, we see a peak around 7–10 am, when coffee-fueled users click on links that were benign when sent but are now malicious.
Don’t sleep on spear-phishing, either. If cybercriminals find a specific person to attack, they can study their victim’s daily routine and activate the malicious link depending on when that person checks mail.
Ways to protect yourself
In addition to running an antivirus filter to catch any malware you might have downloaded, also enable automatic updates in your browser, apply software patches and operating system updates as they become available, back up your computer regularly, and enable operating system firewalls to protect your computer or laptop.
If you’re concerned about an IT security threat or incident, please contact Datum Consulting to help keep you protected.