How URL Spoofing Makes Benign Applications Deadly

In this post, I will show you how URL spoofing makes benign applications deadly.

Checking URLs behind clickable links is usually your first and simplest line of defense against phishing attempts. Cybercriminals take great pains to make phishing emails and the phishing sites they link to letter-perfect duplicates of the sites they imitate. When you check their URLs, however, instead of displaying, for instance, the legitimate “Microsoft.com,” they display something like “mcrosoft,” “micr0soft,” “microsoftnet,” or other similar variations. This is an instant giveaway and should automatically dissuade you from making that fatal click.

What if that clue wasn’t there? What If the URL of a phishing site was the same as the URL of the site it was trying to imitate? No amount of attentiveness on the user’s part would keep them safe from phishing attempts.

Although the DNS system normally prevents URL spoofing, attackers can find ways around this restriction by exploiting vulnerabilities in rendering tools—browsers, email applications, conferencing software, and more. Although these vulnerabilities aren’t common, they’re appearing increasingly often—and attackers are extremely tenacious.

Dr. Safety Android Privacy Browser Contains URL Spoofing Weakness

Even security tools sometimes contain weaknesses. This was the case for Trend Micro—one of the larger consumer-facing security companies—and its Android security suite. Security researchers discovered an exploitable URL spoofing vulnerability in the suite’s Privacy Browser, an internet browser supposedly designed to keep users safe by hiding their search history, deleting cookies, minimizing trackers, and applying other digital hygiene features.

Attackers could display pages with false URLs simply by adding a JavaScript packet to their phishing pages—a very low-effort attack. What’s more, since 10 million users had downloaded the security suite, any phishing campaign would be able to reach many people.

Although Trend Micro responded by pulling the privacy browser in its entirety, their troubles likely aren’t over. This most recent incident was in fact a continuation of a related URL spoofing vulnerability found in the same browser back in 2018. In other words, there’s a very good chance that other security products from the same company could be found to have similar problems.

Zoom Vulnerability Lets Attackers Spoof Meetings

URL spoofing can be used to enable malicious replicas beyond phishing sites as well. For example, a vulnerability in the popular video conferencing app Zoom could potentially let attackers create fake meetings, impersonate employees of legitimate companies, and gain information via social engineering.

This all stems from the application’s “Vanity URL” feature. If you want to make your meetings look more official, you can add your company name to the URL on a Zoom meeting invite—for example, ericom.zoom.us.

Unfortunately, there’s nothing that prevents anyone from abusing this feature. Anyone could create meeting links that purport to come from yourcompany.zoom.us, pose as an employee, and then conduct fraud and corporate espionage.

Even though Zoom has since fixed this bug, it is simply the latest in a series of security incidents and vulnerabilities related to the app. Once again, we’re not confident that attackers won’t simply find another Zoom workaround allowing them to impersonate legitimate organizations.

Firefox URL Spoofing Remains Two Years After Discovery

With about 250 million active users, Firefox contains an absolutely vast userbase. With such a large installed footprint, it’s important to keep bugs from propagating through the browser, as a single vulnerability could affect millions of people. This being said, Mozilla (the Firefox parent company) has let a nasty URL spoofing vulnerability linger in its browser for at least two years.

The bug works like this: first, you navigate to a phishing page. Next, you click somewhere on the page, notionally a link, an image, or a dialog box, but anywhere on the web page will do. You are now anchored to the site. No matter what you type into the URL bar, you’ll remain on the phished site.

You can see how this would work in real life. Let’s say that you accidentally navigate to a phishing page, realize that something looks suspicious, and then navigate to the real version of that page instead so you can change your password. Unfortunately, the “real” version of that page is still the phishing site, only it has the correct URL that you’ve just typed in. Thus reassured, you go on to give up your login credentials.

How Do You Protect Against URL Spoofing?

Using traditional methods, there are few ways for average frontline users—especially those working remotely—to detect that a URL has been spoofed. Certain security tools can detect whether the address bar is being spoofed, but there’s no way to guarantee that home users will use and configure those tools correctly. Even if these tools are configured correctly, an alarming 90 percent of users will ignore or click through security warnings.

Your best bet is to adopt security safeguards that operate in the background, preventing security from getting in the way of the workflow while ensuring that protection is airtight. For example, you can invest in Zero Trust tools like Remote Browser Isolation (RBI), which renders websites in a virtual browser located in a secure cloud-based container, and streams only safe, interactive rendering information to the user’s browser. This prevents phishing sites from dropping malware on the endpoint. Some RBI solutions include additional tools that open suspected phishing sites in a “view only” mode, making it impossible for users to reveal their credentials.

Although address bar spoofing may be gaining momentum as a technique for attackers to level up their phishing campaigns, Zero Trust browsing has the potential to stop potential damage from the tactic in its tracks. After all, the most effective way to protect users against phishing is to prevent them from reaching phishing sites or, failing that, from interacting with suspicious sites altogether.

Note: This is a guest post by Mendy Newman.

Author Bio

Mendy Newman is the Head of Solution Management at Ericom Software for all its products. Mendy has over two decades of experience in architecting, delivering and implementing cybersecurity and software solutions to customers worldwide.

RELATED POSTS