Percentage-based URL encoding is another technique embraced by phishers to escape detection by secure email gateways.
Fremont, CA: Today's phishers are utilizing necessary percentage-based URL encoding to stay away from recognition by using Google's capacity to decipher the encoded URL information. It was in mid-September when Cofense Phishing Defense Center recognized a phishing email that originated from an undermined email account of a well known American brand. The message had a hyperlink for a new invoice with the guidance to tap on the embedded "View Invoice" hyperlink button for recipients. The real goal of the hyperlink is hidden for untrained eye and any perimeter security device.
At a simple glance, the high-level domain for the hyperlink appears to be google.lv, which is the landing page for Google Latvia. At first, it doesn't raise any threat with numerous perimeter security tools. When carefully watched, the hyperlink appears to divert the beneficiary to a secondary malicious URL utilizing Google. The initial segment of the URL is "hxxps://google.lv/url?q=", that instructs the internet browser to use Google to inquiry about a particular URL or string. The second part is the payload, which is also a string that is encoded with basic URL encoding containing "%" trailed by two hexadecimal digits instead of ASCII characters. This is sometimes referred to as percent-encoding.
Most internet browsers promptly acknowledge URLs that contain hexadecimal character representations and will decode them consequently into ASCII without the involvement of the user. Hence when clients click on the hyperlink contained in the email, through their programs, they are diverted to Google to question the encoded string. This, thusly, perceives the string as a URL and redirects the user to the final destination, which is a phishing page. It is designed in a manner to take the clients' office365 credentials among phishing threat actors. The strategy is simple enough to fool basic URL and domain checks by perimeter devices adopted by threat actors to make sure malicious payload delivery.
As this trend increases, all organizations should educate their entire workforce about the risks of phishing utilizing training that employs simulation and training to fight basic kinds of phishing assaults.