How Cybercriminals Create Malicious Hyperlinks That Bypass Security Software

Hackers use a technique known as Quoted-printable to trick security defenses into thinking a malicious link is legitimate, Avanan says.

Image: Andriy Onufriyenko/Getty Images

Finding ways to circumvent cybersecurity defenses is always the top priority for cybercriminals. The easier they can thwart your security tools, the greater the chance that their attacks will succeed. A report released Thursday by email security provider Avanan reveals how a coding practice called Quoted-printable is used in phishing emails to present malicious links as legitimate.

TO SEE: Mobile Device Security Policy (TechRepublic Premium)

Hackers who create phishing emails often turn to certain deceptive coding techniques. For example, they can encode a letter not using the actual letter but using its ASCII code, such as using A to represent the letter a. Your email program does not reveal the ASCII character but rather converts the code to its actual letter.

Along the same lines, attackers take advantage of an encryption system called quote-printable. In this technique, 8-bit text, such as foreign characters, is transformed into 7-bit text, readable in the mail program. Starting in February, Avanan discovered that attackers were using Quoted-printable to disguise malicious links as legitimate text, thereby fooling security scanners.

Image: Avanan. This phishing email attempts to trick security tools into believing that the malicious link is legitimate.

Specifically, hackers append an equals sign to the end of the malicious link URL. But rather than typing the equals sign as =, they encode the phrase “=3D”, which is an obscure method of writing the sign using Quoted-printable. Your email reader can understand and interpret the Quoted-printable code, but cybercriminals are betting that your security product won’t be able to detect the malicious link.

In the phishing campaign analyzed by Avanan, scammers send emails impersonating Microsoft, informing the recipient that their password has expired. A button called Remember your password contains the malicious link, which is written as Clicking this button takes the user to a phishing page where they are prompted to enter their Microsoft or work account credentials, which are then collected by the criminals behind the attack.

To protect you and your organization from phishing emails using Quoted-printable and other deceptive tactics, Avanan offers the following guidance:

  • Detecting these types of phishing emails with traditional security tools can be a challenge. That’s why it’s important that you implement a layered security posture that combines artificial intelligence and machine learning with defenses like IP/domain and sender reputation.
  • Set up a security environment that uses multiple factors to determine whether to block an email.
  • Train your users on how to analyze suspicious and potentially malicious emails for subtle deviations. In the email cited in Avanan’s report, the dates did not match between the subject line and the body, and the sender address did not match.

Comments are closed.