Hackers are using a technique known as Quoted-printable to trick security defenses into thinking a malicious link is legitimate, says Avanan.
Finding ways to sneak past cybersecurity defenses is always uppermost on the minds of cybercriminals. The more easily they can thwart your security tools, the greater the chances that their attacks will be successful. A report released Thursday by email security provider Avanan reveals how a coding practice called Quoted-printable is being used in phishing emails to present malicious links as legitimate.
SEE: Mobile device security policy (TechRepublic Premium)
Hackers who create phishing emails often will turn to certain deceptive coding techniques. As one example, they may encode a letter not by using the actual letter but by using its ASCII code, such as using A to represent the letter a. Your email program doesn’t reveal the ASCII character but rather converts the code into its actual letter.
In the same vein, attackers are taking advantage of an encoding system called Quoted-printable. In this technique, 8-bit text such as foreign characters are turned into 7-bit text, which is readable in the email program. Starting in February, Avanan found that the attackers are using Quoted-printable to disguise malicious links as legitimate text, thereby fooling security scanners.
Specifically, the hackers add an equal sign to the end of the URL for the malicious link. But rather than type the equal sign as =, they encode the phrase “=3D,” which is an obscure method of writing the sign using Quoted-printable. Your email reader can understand and interpret the Quoted-printable code, but the cybercriminals are betting that your security product won’t be able to detect the malicious link.
In the phishing campaign analyzed by Avanan, the scammers send emails impersonating Microsoft, telling the recipient that their password has expired. A button called Keep Your Password contains the malicious link, which is written as
<a href=3D" http://xx.xx.xx.org.za/microupdate?=3Dvic.firstname.lastname@example.org" style=3D"c=. Clicking on that button takes the user to a phishing page where they’re prompted to enter their Microsoft or business account credentials, which are then harvested by the criminals behind the attack.
To help protect yourself and your organization from phishing emails using Quoted-printable and other deceptive tactics, Avanan offers the following tips:
- Detecting these types of phishing emails with traditional security tools can be a challenge. That’s why it’s important that you implement a multi-tiered security posture that combines artificial intelligence and machine learning with such defenses as IP/domain and sender reputation.
- Set up a security environment that uses more than one factor to determine whether to block an email.
- Train your users on how to analyze suspicious and potentially malicious emails for subtle discrepancies. In the email cited in Avanan’s report, the dates were mismatched between the subject line and the body, and the sender address didn’t match.