CloudSEK spotted a sharp rise in phishing attacks based on reverse tunnel hosting, where threat actors lure people to steal their sensitive data.
Since threat actors are hosting phishing sites on their own systems, taking them down is hard. Also, they’re said to be using URL shorteners for masking their malicious phishing links and have been changing the URLs quickly to avoid being blocked. Here’s more about it;
Reverse Tunneling and URL Shorteners
A classic phishing campaign starts with a threat actor registering a look-alike domain of a reputed organization, making malicious pages based on it, and sending it to their targets for stealing information or other malicious purposes.
These attacks can often be avoided by reporting to the domain registrar and ultimately taking down the domain – forcing the threat actor to develop a similar plan all from the start. But a technique called reverse tunneling would allow them to host sites on their systems, thus avoiding the risk of third-party takedowns.
Using such reverse tunneling software, threat actors can handle all the incoming connections to a local server they hosted on their system. Any information that victims obtain is sent and stored directly in the attacker’s system!
CloudSEK, a digital risk protection company, observed a rise in reverse tunneling-based phishing campaigns combined with URL shortening services.
Researchers have spotted over 500 sites hosted and distributed this way, with Ngrok, LocalhostRun, and Cloudflare’s Argo popularly used for reverse tunneling and Bit.ly is.gd cutt.ly used for URL shortening.
Researchers noted that threat actors use generic platforms like WhatsApp, Telegram, emails, text, or fake social media pages to distribute their phishing pages and request sensitive details like bank account details, login credentials, and contact information.
Further, they can change the domain name every day and recycle page templates to avoid being blocked. Since they’re hard to stop, researchers warn the public to be cautious about clicking on suspicious links and responding with sensitive data anytime.