Call it a cliche but phishing emails are some of the most favorite tools of cybercriminals. And why not? They’re relatively easy to deploy and send in bulk.
Hackers typically push out massive numbers of phishing attempts at one time, hoping that they can fool even a few. These scams may all want to whisk away your personal information, but they still do come in different shapes and sizes.
Take this new phishing campaign, for example. It looks like a garden-variety phishing attempt with one very, very long secret.
A record of sorts
A new targeted email phishing scam is currently making its rounds and get this, for some crazy reason, it has links that contain almost 1,000 characters, which is probably a record of sorts.
First spotted by Bleeping Computer, the phishing campaign masquerades as a message from your email provider’s support team stating that your account has been blacklisted due to multiple login failures. It will then warn you that your account will be terminated unless you log back in and verify it within 24 hours.
As usual, the scam email provides you with a convenient link that will take you a fake login page that’s designed to steal your email account credentials.
But there’s something quite strange with its URL — a big fat red flag that there’s something amiss.
Wait. Is that URL 1,000-characters long?
Phishing scammers typically try to deceive their victims with addresses that begin with phrases like “log in,” “support,” or “authorize” to make them appear legitimate. Others use typosquatting techniques or replace English characters with similar looking foreign characters homonyms to fool potential victims.
However, this current phishing campaign skips all that and dumps insanely long URL links instead. And they’re crazy ridiculously long, ranging from 400 to 1,000 characters of what’s mostly gibberish.
Here’s a tweet from My Online Security showing how absurd these phishing links could look like.
What’s going on?
What’s the logic behind these absurdly long phishing URLs? No one knows for sure, but here a few theories.
First, the campaign may be coming from an inexperienced and careless newbie hacker who’s using an amateur phishing kit that’s misconfigured.
On the other hand, it may have also been launched by a highly experienced scammer who’s trying to evade specific security and anti-virus software by hiding its phishing files behind the padded characters.
But the bottom line is this, if you get an email or notification from a site that you find suspicious, don’t click on its links. It’s better to type the website’s address directly into a browser than clicking on a link (especially on mobile).
And before you ever click on a link on your desktop, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, never ever follow it.