09/07/2016 03:12:57 PM

Hyperlinks are prominent in nearly every online activity. We see them on web pages and in email. We embed them in texts, comment fields, or discussion threads. We use them to amplify social media messages or to advertise. One might argue that the most common purpose of hyperlinks today is, in fact, amplification. 

Criminals use amplification as well or arguably better than legitimate users. To illustrate how, let’s look at one way to construct a phishing attack using a single maliciously registered domain name. 

In this scenario, the phisher prepares for his attack by registering one or a few domains; for example, in

accountfraudalert.tld

Next, the phisher might create a few, a dozen, or a hundred hyperlinks by creating subdomains within the maliciously registered domain name (fully qualified domain names), for example

http://welllsfargo.accountfraudalert.tld/
http://chaase.accountfraudalert.maliciousdomain.tld
 http://hs.bc.accountfraudalert.tld

Or they might create several or dozens of hyperlinks from a single or few host names, perhaps to include the name of a set of financial institutions he is targeting somewhere along the link path:

http://accountfraudalert.tld/wf-login.php
 http://accountfraudalert.tld/chase-login.php
 http://accountfraudalert.tld/hs/bc/login.php
 http://accountfraudalert.tld/fi/citi/login.php 
 http://accountfraudalert.tld/citi/bank/citi-login.php

Finally, to take full advantage of amplification, he might combine these two hyperlink construction methods. Note that the hyperlinks I use to illustrate are fairly readable. Hyperlinks that appear in phishing messages may be composed with less obvious strings, longer, shortened, or obfuscated in other ways.  

This strategy applies equally well to attacks that exploit social media sites like Facebook…