Cybercriminals Use Mix of Reverse Tunneling and URL Shortening to Launch Large-scale Phishing Campaigns

A new type of phishing technique called ‘reverse tunneling’ is keeping cyber security experts at their tenterhooks. Reverse tunneling allows hackers to bypass the usual ‘impediments’ that thwart phishing attacks.

As the name suggests, a ‘reverse tunnel’ does the opposite of what a normal tunnel connection (typically a VPN) would do: while the later allows a user to connect to a server privately and securely, the former makes it possible to route incoming traffic to a local computer, or a network of local computers through the use of online services.

A legitimate reverse tunneling account allows you to turn your own computer into a server i.e it allows you to serve content to the world.

Reverse tunneling has many legitimate uses, for example, it can allow users to access their home computers and devices remotely, or can be used to test online apps or websites; unfortunately, it also provides cybercriminals with an easy solution to run insidious phishing campaigns without being traced as they don’t need an online hosting service where malicious content can be identified and removed.

Phishing emails often include links to online places faking real companies and tricking users into sharing credentials and other sensitive data.

The links may be typosquatted or may have been shortened by using a URL shortener service such as Bit.ly, so the actual URL is hidden from your eyes and you don’t know where you are going.

This line of attack is quite easy to stop. If the fake site linked to a phishing campaign is reported by a user, hosting platforms and search engines will examine the link and if the find it to be suspicious, they will remove the website.

Reverse tunneling, however, fixes this issue elegantly as it practically eliminates the need for a website hosting service. As websites are hosted by the threat actors on their local machines, if a URL is identified as malicious, the content is quickly and easily redeployed at a different URL address without any trace. There is no need to sign up for website hosting or register domain names.

Security researchers have reported that reverse tunneling is used to run large-scale phishing operations on a daily basis. By simply changing the reverse tunnel accounts and shortened URLs, hackers are able to launch fresh phishing campaigns without being identified or tracked.

Due to their nature, these types of attacks are very dangerous and are only expected to grow unless new means to identify and trace them are found.

Advice for end-users

While phishing techniques by threat actors have greatly evolved over time, but there are still some simple steps you can take to ensure your safety:

  • Always be cautious with clicking links in incoming SMS or email
  • Always check the sender email address before replying to an email
  • Don’t share sensitive information unless you are hundred percent certain about the authenticity of the company/organization you are sharing the information with

Subscribe to our newsletter to stay up to with the latest threats, cyber security news, software updates etc.