Push now blocks URL schema obfuscation, countering a common technique used by attackers to bypass URL detections for phishing pages and malicious IPs.
Push now blocks URL schema obfuscation, countering a common technique used by attackers to bypass URL detections for phishing pages and malicious IPs.
URL schema obfuscation is a technique that obfuscates the end destination of a URL by abusing the URL schema. It used to be common for pages using basic authentication to accept a username and password provided in the URL: for example, hxxps://username:password@pushsecurity.com.
The functionality is still supported by browsers, though it is rarely used today. Now, when a browser interprets a URL with the username section populated (anything before the "@” sign), it discards it, and sends the request to the page or server following the "@” sign.
This can be abused by attackers to send their victim to a malicious server IP or page URL after an initial legit-looking URL. So, for example: hxxps://google.com@phishing.com. The destination page is then often further obfuscated through encoding to further disguise the malicious link.
URL schema obfuscation has two main benefits for an attacker:
It increases the likelihood that a victim clicks a link by appearing legitimate at a glance.
Common URL parsing logic often fails when encountering this technique. This means that where a network defense tool is relying on knowing the server/page a URL is pointing to (e.g. checking if a domain is on a threat intel feed), it could potentially bypass it.
VirusTotal shows abuse of this technique dating back to at least February 2022, and we’re still encountering it in the wild today. After seeing an uptick in URL obfuscation pages being intercepted by Push’s other browser-based phishing protection controls, we decided to use our position in the browser to roll out an additional layer of protection against this technique.
Block URL obfuscation in the browser
We’re providing Push customers with the ability to outright block schema obfuscation when it’s encountered in the browser, protecting against attackers using this technique to obfuscate their phishing and malware delivery pages/servers.
No matter where the link originates, Push intercepts it at the point of execution in the browser, and shuts the attack down.
Here’s how it works:
To enable the control, simply hit the toggle under “URL blocking” from the Push dashboard.
Learn more
Push Security’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.
If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, book some time with one of our team for a live demo.
