Phishing

Malicious actors primarily leverage phishing for obtaining credentials for initial network access, and for malware deployment for follow-up activities (escalating user privileges, maintaining persistence on compromised systems).

Table of Contents

• Tools
• Evasion
  • URL Obfuscation using Punycode
  • URL Obfuscation using Zero-Width Spaces (Z-WASPS)
  • URL Redirection
  • Cybersquatting / Domain squatting
  • Defense

Tools

• Social Engineering Toolkit (SET)
• Gophish (Github)
• Zphisher (Github)
• TeamsPhisher (GitHub)

Evasion

URL Obfuscation using Punycode

Obfuscation of the URL with Punycode, see Look-Alike Domains and Visual Confusion. In Firefox URL: about:config, set network.IDN_show_punycode = TRUE

URL Obfuscation using Zero-Width Spaces (Z-WASPS)

Bypass spam filter (or anti-phishing mechanisms) by adding zero-width spaces in the URL. Simply insert multiple zero-width spaces within the malicious URL in the phishing email, breaking the URL pattern in a way that the spam filter does not recognize it as a link.

Supported by all modern web browsers, zero-width spaces (listed below) are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.

• ​ (Zero-Width Space)
• ‌ (Zero-Width Non-Joiner)
• ‍ (Zero-Width Joiner)
•  (Zero-Width No-Break Space)
• ０ (Full-Width Digit Zero)

The Hacker News

By inserting Zero-Width Spaces (Z-WASPS) into the raw HTML of a URL, hackers can obfuscate a malicious link but render it normally to the recipient.

<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
This is a test <a href="https://malicious&#8204;.site.&#8204;com">Link</a>
</body>
</html>

URL Redirection

Options:

• Use a third-party service to hide the URL, like freshdesk.com (helpdesk).
• Register a domain and host this redirection script. There are often rules to block domains registered within the last 90 days. Register your domain in advance.

The URL (“https://google.com”) is hidden within the secureString variable. Change it as needed.

<!DOCTYPE html>
<html>
    <head><title>Secure Redirection</title></head>
    <body>
        <script>
            var secureString = "XyZhXyZtXyZtps:/XyZ/goXyZogXyZlXyZe.cXyZom";
            secureString = secureString.replaceAll("XyZ", "");
            document.location = secureString;
        </script>
    </body>
</html>

Cybersquatting / Domain squatting

See Social Engineering.

Defense

• Phishing Guidance: Stopping the Attack Cycle at Phase One (CISA)