Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,322
- Points
- 113
Cofense has seen an increase in the abuse of URL encoding on Secure Email Gateways. These gateways typically blindly trust links processed by the same SEGs, and potentially dangerous emails reach their recipients.
Encoding or rewriting URLs embedded in messages at the gateway level is used to scan them before the recipient clicks through. Unfortunately, not all SEGs perform the check in such cases, or it only reveals the domain of the colleague who performed the conversion.
Experienced spammers have long discovered this way of bypassing protection, but rarely use it: for the campaign to be successful, all created URLs will have to be encoded; it is easier to get hold of another 1,000 email addresses for sending out mailings.
However, in the past quarter, the number of attempts to pit SEG against each other has increased significantly, according to Cofense, especially in May. The attackers usually encoded their links using the following tools:
The subjects of the fake emails varied, but most often the recipient was asked to sign a document (partnership proposal, contract terms, compensation report, HR timesheet, etc.) or was notified of a quarantined message. To make the fakes more credible, the spammers used the names Microsoft and DocuSign.
Stopping such abuses is not easy, experts say: most SEGs do not have an option to ignore encodings made by similar protectors. Only education and training can help corporate users.
Source
Encoding or rewriting URLs embedded in messages at the gateway level is used to scan them before the recipient clicks through. Unfortunately, not all SEGs perform the check in such cases, or it only reveals the domain of the colleague who performed the conversion.
Experienced spammers have long discovered this way of bypassing protection, but rarely use it: for the campaign to be successful, all created URLs will have to be encoded; it is easier to get hold of another 1,000 email addresses for sending out mailings.
However, in the past quarter, the number of attempts to pit SEG against each other has increased significantly, according to Cofense, especially in May. The attackers usually encoded their links using the following tools:
- VIPRE Email Security,
- Bitdefender LinkScan,
- Hornet Security Advanced Threat Protection URL Rewriting,
- Barracuda Email Gateway Defense Link Protection.
The subjects of the fake emails varied, but most often the recipient was asked to sign a document (partnership proposal, contract terms, compensation report, HR timesheet, etc.) or was notified of a quarantined message. To make the fakes more credible, the spammers used the names Microsoft and DocuSign.
Stopping such abuses is not easy, experts say: most SEGs do not have an option to ignore encodings made by similar protectors. Only education and training can help corporate users.
Source
