New Shopping Phishing Scam Uses URI Fragmentation to Target U.S. and Canadian Users
The Threat Actors Impersonate Well-Known Brands.
A highly efficient phishing kit spreads the most among users from the United States and Canada. The scam targets online shoppers looking for “holiday specials” by impersonating popular brands.
The phishing campaign was first discovered in September 2022 and its kit uses social engineering, and sophisticated evasion detection techniques.
The novelty of this malicious campaign is the use of the URI fragmentation technique to keep non-victims away.
Details about the Phishing Campaign
An intriguing feature on the phishing kit is the implementation of a token-based system that allows each victim to be redirected to a different URL, Akamai security researchers are saying.
The phishing email tricks users into believing that they have the opportunity to win a gift from a well-known brand. The link contained by the phishing message leads to a malicious site through a series of redirections and using URL shorteners so it will not raise any suspicions.
To bypass security software, the hackers abuse legitimate cloud services like Google, AWS, and Azure.
The sites impersonate brands like sporting goods firm Dick’s, high-end luggage maker Tumi, Delta Airlines, Sam’s Club, and Costco, including even fake user testimonials to seem more real.
The kit is geographically targeted, to the point of blocking access outside of the intended target geography. This campaign is targeting North America, which has made up 89% of the victims.
Every victim landing on the fake site is welcomed by a timer that creates the feeling of urgency for completing a brief survey to win the promised gift. The last step is for the naive user to enter his card details to cover the shipping costs of the prize, allowing the threat actors to steal them.
URI Fragmentation Technique
This phishing campaign raises interest also due to a new technique among threat actors: URI fragmentation is used not as an HTML anchor, but as an evasive move.
Threat actors are now using this to evade security products.
In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not. This value will also be missed if viewed by a traffic inspection tool.
Such measures are intended to circumvent security barriers such as crawlers that scan suspicious links but do not use headless browser capabilities.
Tokens can be also used to make phishing campaigns more successful by tracking victims to obtain statistics about engagement. Leveraging these statistics with things that work and things that don’t, hackers could learn how to better target future scams.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.