Phishing Attacks with Legitimate URLs

Contact Keepnet for the best antiphishing tools and phishing protection software!

Throughout the years, cybercriminals have become more skilled at escaping discovery by lurking within benign things and attacking their targets. They essentially utilize URLs that lead targets to genuine yet compromised websites or have safe-looking redirectors that ultimately redirect targets to a phishing plot. According to the statistics in the 2018 Keepnet Phishing Trends Report dataset, 49.32% of phishing messages were opened by the target across all organizations, 33.10 % went on to click the malicious attachment or link, 12,87 % hand over the information.

Microsoft revealed that cybercriminals crafted smart phishing attacks in 2019 by using links to Google search results that were infected so that they “pointed to an attacker-controlled page”, which finally redirected to a phishing web site. A traffic generator ensured that the redirector page was the top result for certain keywords.

According to Microsoft, using this technique, cyber criminals were able to transmit phishing emails that carried simply genuine URLs (i.e., link to search results), “and a trusted domain at that”, for instance:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

The attack was even more clandestine due to its use of “location-specific search results”. When reached by users in Europe, the phishing URL redirected to the website c77684gq[.]beget[.]tech, and ultimately to the phishing page. Outside Europe, the same URL returned no search results.

Contact Keepnet for the best antiphishing tools and phishing protection software!

According to Microsoft, “for this to work, attackers had to make sure that their website, c77684gq[.]beget[.]tech, was the top search result for the keyword “hOJoXatrCPy” when queried from certain regions. The website’s HTML code is composed of a redirector script and a series of anchor elements:”

Microsoft explained that “These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign”.

Finally, cybercriminals set up a traffic generator to poison/ infect search results. Because the phishing URL used the open redirector functionality, it redirected to the top search result, therefore the redirector webpage.

Phishing URL: Detect Phishing URLs with Keepnet

Phishing URLs are used to obtain password and username information or other account information by sending the attackers to target users as a known person or institution via e-mail or other communication channels.

Usually, the target user receives a message that appears to have been sent from a known entity or organization. This message may contain malware that could infiltrate the user’s computer or contain a Phishing URL that redirects target users to malicious websites that allow them to capture sensitive such as passwords, account details or credit card information.
Nowadays, phishing attacks are very popular because it is easier to click a phishing URL by tricking or manipulating someone than bypassing defenses.Phishing URLs, which are generally found in the body of the text, redirect to the fake website containing the logos and other legal information of the relevant institutions.

We will bring answers to the questions such as What is a phishing URL? What are the phishing URL features? What are the main features that distinguish phishing URLs from other URLs? We will seek answers to such questions in this article.

Many users can unwittingly receive phishing emails or phishing URLs every day and every day. Attackers target both users and companies for item gain or for other reasons. Phishing attacks account for more than 90% of successful attacks, according to the Phishing Trends Report published by Keepnet Labs in May 2020.

What is the Secret to the Success of Phishing Attacks?

The main reason is the wrong habit and unconsciousness of the users. Therefore, organizations should train their employees to have the necessary competence in recognizing and reporting Phishing URLs. In this way, damages that may occur can be prevented. It is also important to use technological tools that can recognize phishing URLs and detect them.

What are Phishing URL Features?

It is necessary to understand what the general URL structure is in order to reveal what processes the attackers follow when creating a phishing URL or phishing domain.

What is a URL?

URL stands for Uniform Resource Locator today. A URL is defined as the address of a particular resource on the Web. Each valid URL points to the address of a unique resource. These resources are available in the following forms:

  • HTML page,
  • CSS document,
  • A picture

URL Explained

General URLs are defined as SLL, protocal domain and subdomain as shown above. In a Phishing URL, you cannot change the domain name part, because this part is used when the domain name is purchased and cannot be changed anymore. However, attackers can create subdomains as they wish. Attackers can never change a domain name, but can create as many new Phishing URL addresses on subdamines as they want.

Attackers choose domains very cleverly and create subdomains accordingly. This situation makes many technological measures fail to detect these Phishing URLs. This is dangerous, as attackers make it difficult to persuade users and detect subdomains. For example, the subdomain can be put before the actual domain name. As an example, suppose the attacker buys a new domain called By adding multiple subdomains to it, users can be trapped. For example, it can use the “Keepnet” subdomain before the actual domain. In this case, the domain changes like They can also add a subdomain to the end of the original domain to make it more realistic:

Cybersquatting Or Typsquatting

Other methods frequently used by attackers are Cybersquatting and Typosquatting attacks, which exploit users’ carelessness by generating domains similar to real domains. For example, by purchasing the domain name which is similar to the original of and creating a webpage that looks like the original one, attackers can trap users easily.

The main goal here is to profit from existing customers of a trademark owned by businesess. Sometimes, attackers can contact the brand they imitate and offer to sell their similar domains at high prices.

How to Block Phishing URL’s

Keepnet Phishing Incident Response tool allows business to report and analyze suspicious emails within minutes. Incident responder analyses an email’s content in header, body and attachment. After the analysis results, a variety of attack signatures for alarm generation are created.

Contact Keepnet for the best antiphishing tools and phishing protection software!

Phishing attacks are the source of more than 90% of successful cyberattacks. To keep your organisation secure, your employees must be completely trained in security awareness and change their behavior to apply best security practices.

Moreover, teaching your employees on how to detect phishing emails and deal with them properly can add a powerful layer of security.

Here are tips on how to avoid phishing attacks:

  • Don’t click on the links in the email coming from unknown sources
  • Don’t open attachments from someone you don’t know. If you receive an attachment from someone you know, call the sender to verify the legitimacy of the email.
  • If you get suspicious about an email you got, throw it out.
  • Look out for regular phishing style in emails like “Verify your account.”
  • Hover the over links in emails, check the URL to verify the authenticity and instead of clicking on the link, type in the web address into the browser manually to access the website.
  • If you visit a website with a padlock, click on the padlock to verify the authenticity.
  • Protect your accounts by using multi-factor authentication.
  • Protect your data by backing it up.

Want try Keepnet’s multi-layered anti-phishing solutions for free?

Click the button and start your free trial today


Editor’s note: This article is updated on 30 December 2020

Keepnet is an anti phishing solution and cybersecurity awareness training platform