Obfuscating phishy and “shady” URLs, as Warner called them in his Blog post, is nothing new. We’ve been witnessing various mutated techniques from spammers attempting to obfuscate their real intentions behind their shared URL’s in an attempt to increase the probability of successful phishing victimization and to evade detection from spam filters.
In my previous post “Increased Phishing Threats with Obfuscation” I’ve shared one of the techniques used by spammers to avoid detection and achieve their malicious intents, and that was by taking advantage of AES encryption to obfuscate their shady and phishy web pages. Another technique which is shared by Warner, relies on taking advantage of Google’s Ads URL redirection to first obfuscate their phishy URLs and second to take advantage of trust that some people can put in URL’s starting with the Google identifier.
So basically what happens is that spammers will mask the real location (domain) of the phishy advertisement page by advertising its link on Google, which will result in a Google referral link where it starts by Google’s domain and additional parameters holding the actual domain to redirect to encoded in ASCII formation and additional parameter for tracking purposes.
An example URL as shared by Warner can start as follows: https://www.google.com/url?q=
As you can see the URL starts by stating the HTTPS communication protocol and Google’s domain name which might lead to some sort of trusting feeling, then comes the obfuscated part after the “q=” a query string holding the actual location to redirect to yet encoded in ASCII as it is depicted in the following example:
After decoding the above, the resulting URL is “http://absent.xvis.ru/” a Russian hosted domain name advertising “A Canadian Health & Care Mall illegal pills site.” that’s interesting mmm.
This is one of thousands examples and similar obfuscation technique which is increasing the risk of being victims of phishy links, therefore it is important to understand and be careful on what we are clicking on even from trusted sources. Having a suspicious mindset and discarding that urge for clicking links can help us avoid becoming victims of phishy attempts as this one.