- Barracuda says Tycoon now offers new ways to hide malicious links IE emails
- URL -coding, fake captchas, domain divisions and other techniques were spotted in nature
- Researchers call for companies to use a multi -layer approach to security
Tycoon, a popular phishing kit responsible for the majority of email-borne attacks these days, has apparently been updated with new techniques to help the threat actors hide malware and malicious links in email messages.
Security researchers Barracuda released an in-depth report covering several new tactics observed in nature, including URL coding, false CAPTCHAS, superfluous protocol prefix technique, using the symbol ‘@’ and subdomain split abuse.
With the URL coding technique, attacks would insert a number of invisible spaces into URLs to push the malicious parts of the link out of the sight of security scans or add odd characters such as Unicode symbols.
Multi -layer defense
“By using unexpected and unusual codes and symbols and making the visible URL similar to less suspicious and more like a normal site, the coding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat,” Barracuda explained.
False CAPTCHAS, on the other hand, makes the site appear more legitimate, while at the same time bypassing basic security checks.
The redundant protocol prefix technique involves designing a URL that is only partially hyperlink or which contains invalid elements (for example, two ‘https’ or none //). This hides the real destination for the link, while the active parts seem legitimate. The symbol @ can be used in a URL to hide the malicious part of the URL.
Since everything before ‘@’ is treated as ‘user info’ by browsers, attacks can put something reliable there, such as ‘Office365’. The actual destination of the link – the malicious destination page – comes after ‘@’.
Your Tycoon kit is also capable of a benign/malicious division into subdomains. It now allows threat actors to create fake sites using names that are apparently linked to well -known companies (for example, ‘Office365scaffidips.azgcvhzauig.es).’ This may fool victims into thinking they are dealing with a Microsoft sub-domain, but the last part of the address is the actual striking phishing site.
Phishing becomes more complicated, more sophisticated and thus – more difficult to discover – at that moment. Barracuda says the best defense is a multi -layer approach with different levels of security that can see, inspect and block unusual or unexpected activity.
They also recommend AI-powered or machine learning solutions paired with regular training in employee awareness.
