URL tracking systems being abused for phishing and other attacks

In the final NCSAM article this year, yes, I haven’t posted that many this year, we’re going to talk about URL tracking systems are abused.

First of all, the Jared Rimer Network does not uuse these systems at all. Such systems may include podcast tracker services, Google add words or google add cents. I’ve never used them as I can provide my own links, and even though Sendspace gives me a download count on files, I don’t know where it is downloaded and I don’t really want to know.

Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive
carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads’ tracking system
to evade email filters. 

Even the URL shorteners like is.gd and others through the years I don’t use either. One service I talked about in podcast 318 was a site still operating called cutt.us. I do like them because you can check the URL and see where it really goes and get stats. The shortener bit.ly does the same thing, and I’m sure many others do too with an account.

I’ve always been in the belief of showing my visitors exactly where they are going. If it’s shortened, its shortened by services like twitter through their shortener which is checked for bad URLS and they disable those URL sites and not leave it up to others. Even Facebook shortens links at times, but its mainly used for twitter where the messages needed to be much shorter.

URL tracking systems use parameters to pass through various pieces of information for managing advertising campaigns. One of these parameters is typically
the final URL that the ad service should redirect users to after they have clicked on the tracking link.  For Google Ads, this is the adurl parameter. 
 
By replacing adurl value with a phishing link, threat actors can easily subvert a legitimate Google Ads tracking URL and use it in attacks.  
 
To demonstrate this, we took a Google Ad tracking URL, and modified the adurl value to our website:
 
https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwix8fPEw8HsAhXJ1LMKHS3IBFgYABAAGgJxbg&ohost=www.google.com&cid=CAESQeD2E1PzeiYJL3kjMA7Vmwqi98UE1LwYa5uGbheW5-FZpiwJMd9XorTktglOxa-f73TqcJcrZw-kbaczp_2IgMq_&sig=AOD64_3G4pFo2cwWIkGHy8GMVFYvhaOr1Q&q&adurl&ved=2ahUKEwiyxOrEw8HsAhXzlHIEHRwMBoQQ0Qx6BAgoEAE&adurl=https://phishlabs.com/

While the URL given was a sample and leads to Phishlabs, this method can’t be trusted anymore and for one, I won’t ever use it. I understand these services pay pennies to the click anyway, so I never was on board with using such a service to make money.

There are several services that are abused besides google and one of them is Verizon Wireless’s site. The actors go where this is set up and abuse something that can be used for good.

Phishlabs has more on this, but I want to talk about the fact that I don’t use them, and if I do, it’ll be on request by the sender or if the URL is so long it just breaks. That’s why I build my sites with not so long URL’s. It is going to be a better trip for me in the long run as long URL’s would be flagged if people uploaded such things to my pages.

Want to learn more about this? How URL Tracking Systems are Abused for Phishing is the article and it is written by Sean Bell. I hope you enjoy reading this article and my thought on this topic.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.