A post on ISS's Frequency X blog stated that "analysts have been observing host names within fraudulent phishing URLs consistently arrive with lengths of between 30 and 37 characters"; observers "have noted a significant change" as phishing host names have shrunk down to an average of only 17 characters in recent weeks.
Ralf Iffert, researcher for ISS's X-Force threat analysis team and author of the Frequency X blog, believes this is another step in the increasingly sophisticated social-engineering measures adopted by cybercriminals.
Phishers "appear to have adopted shorter URLs to avoid the suspicion of their potential victims," he said.
Steve Reddock, senior IT specialist for ISS, believes that this is a developing trend. "This is a pattern we've noticed over several months; it's not just a blip."
Reddock said phishers often experiment with new techniques, but only for very short periods of time. However, in this case, the tactic of using shortened URLs as a means of deception has been around long enough to be considered a best practice for cybercriminals.
Paul Ducklin, head of technology for the Asia-Pacific region at security firm Sophos, said users and security firms alike should be wary of making assumptions based on the character length of a URL, be it long or short.
"We need to be careful about security metrics, which might lead users to assume a reliable correlation between the size of an Internet object and its danger...In any case, your e-mail client may disguise the real URL with a link that looks completely different--not just a different length--from what it really is," he said.
ISS' Reddock claims that as users have become more aware of dangerous links, revenues have declined for phishers, thus prompting the need for new approaches.
"The fact that they felt the need to make this move suggests that they were seeing diminishing returns," Reddock said.
Sophos' Paul Ducklin remains skeptical as to whether this new tactic will make a difference--or whether it is something phishers will continue using.
"Size, as they say, generally doesn't matter," Ducklin added.
Example : paypal.com could become paypaI.com or paypa1.com, secure-paypal.com, ssl-paypal.com, etc ... (those are already reserved, only one by ebay, the legitimate owner) Those kind of addresses are then redirected to the compromised server (regular or with frame).
given the size of the problem for various financial institutions, I wonder why there is no central blacklist that could be used for URI checks in antispam softwares such as spamassassin.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Game on: European Union grants unconditional approval for $12.5 billion deal, but says it will keep an eye on Google. The company says it aims to "supercharge" Android with the acquisition.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
Or, is there a "phisher central" web site out there where phishers hold a vote to agree on URL lengths? :-)
Example : paypal.com could become paypaI.com or paypa1.com, secure-paypal.com, ssl-paypal.com, etc ... (those are already reserved, only one by ebay, the legitimate owner)
Those kind of addresses are then redirected to the compromised server (regular or with frame).
given the size of the problem for various financial institutions, I wonder why there is no central blacklist that could be used for URI checks in antispam softwares such as spamassassin.