Reverse tunneling, URL shortening leveraged in more phishing campaigns

More widespread phishing campaigns have been leveraging reverse tunnel services and URL shorteners, prompting even more challenges in curbing phishing attacks, BleepingComputer reports. CloudSEK discovered that over 500 websites are being hosted and distributed using a combination of reverse tunneling and URL shortening, with Ngrok, LocalhostRun, and Argo by Cloudflare being the most commonly exploited reverse tunnel services, while Bit.ly, is.gd, and cutt.ly were the most prevalent URL shorteners. Threat actors could leverage reverse tunnel services to protect their phishing site by redirecting all connections to a local server, with their victims' sensitive data directly stored on their computers. Meanwhile, URL shorteners enable the concealment of suspicious URLs, which are commonly distributed through Telegram, WhatsApp, phony social media pages, texts, and emails, according to the report. Researchers were able to identify a phishing site impersonating the State Bank of India's digital banking platform YONO, which had the "cutt[.]ly/UdbpGhs" URL and leveraged the Argo tunneling service. "Even if a URL is reported or blocked, threat actors can easily host another page, using the same template," said CloudSEK.