Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold, a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the Web address of a malicious webpage with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

The phishing attacks that PhishLabs RAID has observed thus far "target primarily Facebook," Hassold said. Apple, Comcast, Craigslist, and OfferUp have also been spoofed by the campaign. The Web addresses used for the phishing pages are hosted on sites using legitimate domain names that have been compromised. The spoofed addresses also show that the attack is focusing on mobile users, Hassold noted, as they use the URL for the mobile versions of the sites they target, such as:

m.facebook.com----------------validate----step1.rickytaylk.com/sign_in[dot]html accounts.craigslist.org-securelogin--------------viewmessage.model104[dot]tv/craig2/ icloud.com--------------------secureaccount-confirm.saldaodovidro[dot]com.br/ offerup.com------------------login-confirm-account.aggly[dot]com/Login%20-%20OfferUp.htm

The technique was first spotted in a few phishing attacks in January, according to Hassold. "It ramped up in March, and has been pretty heavy since."

The pages used to deliver each type of attack found thus far are identical across the various domains used, suggesting that the attacker used some sort of script to leverage known vulnerabilities to gain access to domain name control. "Looking at the hashes of the contents of the sites, they're all identical," Hassold told Ars.





It's not clear what the initial means of drawing victims to the sites is, though it is likely a shortened URL sent via an SMS message. In a blog post being published today by PhishLabs, Hassold wrote:

The trouble with mobile devices is that even people who are normally security conscious treat them differently. As a population we’ve been conditioned to check our phones constantly, and to browse or follow links in a far more lackadaisical manner than we would on a desktop or laptop. As a result, we’re generally paying far less attention to any warning signs that might crop up. In this case, although we haven't yet managed to get our hands on any lures, it’s highly likely that this tactic is being distributed via SMS phishing, rather than email. As a result, the sensible parts of our brain, that have learned over the years that email contains a lot of spam, just aren’t turned on.

Part of the reason for the effectiveness of the attack is that if the site is delivered via an SMS link, it's not possible to check the legitimacy of the site before tapping it. And once the victim reaches the spoofed site, the URL padding obscures the true address of the site long enough for many (if not most) mobile device users to fall for the login request.

Listing image by Lsuff