- Barracuda says that Tycoon now offers new ways to hide malicious ties in emails
- URL coding, false captors, domain divisions and other techniques have been identified in the wild
- Researchers urge that companies use a multilayer security approach
Tycoon, a popular phishing kit responsible for the majority of e-mail attacks these days, has apparently been updated with new techniques to help threaten the actors of malicious hiding places and malicious ties in emails.
Barracuda security researchers have published a detailed report covering many new tactics observed in the wild, in particular URL coding, false Captchas, redundant protocol prefix, using the ‘@’ symbol and the deputy division of the sub-domain.
With the URL coding technique, the attackers inserted a series of invisible spaces in the web addresses to push the malicious parts of the security link of the safety scanners, or add strange characters such as unicode symbols.
Multi-layer defenses
“Using unexpected and unusual codes and symbols and making the web address visible less suspicious and more like a normal website, the coding technique is designed to deceive security systems and make more difficult for recipients and traditional filters to recognize the threat,” said Barracuda.
False Captchas, on the other hand, make the website more legitimate while, at the same time, bypassing basic security checks.
The redundant protocol prefix technique implies the manufacture of an URL which is only partially hyperlink, or which contains non -valid elements (for example, two “http”, or not //). This hides the real destination of the link, while making the active parts legitimate. The symbol @ can be used in a web address to hide the malicious part of the URL.
Since everything before the “@” is processed as “user information” by browsers, attackers can put something worthy of confidence, as “Office365”. The real destination of the link – the malicious destination page – comes after the “@”.
Your magnate kit is also capable of a benign / malicious division in the sub-domains. It now allows threat actors to create false websites using names apparently linked to well -known companies (for example “Office365scaffidips.azgcvhzauig.es)”. This could encourage victims to think that they are dealing with a Microsoft sub-domain, but the last part of the address is the real phishing site and belonging to the attacker.
Phishing becomes more and more complex, more sophisticated and therefore – more difficult to detect – per minute. Barracuda says that the best defense is a multilayer approach with different levels of security that can identify, inspect and block an unusual or unexpected activity.
They also recommend information on AI, or automatic learning solutions, combined with regular employee awareness training.
