When Fraudsters Use Our Own Tools Against Us

URL Tracking Systems
Share Button

Many new email tracking services have emerged over the past few years. These services help marketing teams determine if their email marketing campaigns have been successful by analyzing the number of opened emails and user click-throughs. As these tools have matured, they have also begun to offer more analysis capabilities that help marketers extract relevant data about their target audience, market segmentation, habits, and so on.

But now, fraudsters are adopting the same email tracking methods as a way to check the efficacy of their attacks.

We can divide an attack’s launch into two stages. The first starts with the infection vectors used to spread the threat on behalf of a well-known company, bank, or even government entity, and ends when the fraudsters have obtained information about the propagation of their malicious campaign. Some commonly used methods for this first stage are email phishing, fake advertisements, fake social media profiles, etc. The second stage is execution, which begins when the victim has been exposed to the fraudulent content. In this stage, the victim is exposed to the threat and encouraged to provide information or open malicious payload-embedded files. However, this does not mean that the target has provided sensitive information or downloaded the spiteful content.

URL Tracking Systems
Figure 1. URL tracking life-cycle

The methods used to track an attack during its distribution are quite simple. Usually, fraudsters create or use open source tools that modify the URLs attached to each email, adding an extra parameter. Depending on the attack’s level of sophistication, this can be the hardcoded email, a codification of it, or even just a token designed for the URL.

One example of a URL tracking system is the well-known malware Hancitor (Figure 3 shows a real phishing email used in a Hancitor attack), which embeds a 64base codification of the targeted email in the malicious URL to track the success of a phishing email.

 

URL Tracking Systems
Figure 2. A phishing email spread in United States with tracking functionality

URL Tracking Systems

URL Tracking Systems
Figure 3. Two different phishing emails targeting customers from well-known banks in LATAM

Our investigators have detected that this technique is being used worldwide. In Figure 2, we show a case in United States, though customers of some of the major banks in Latin America are also being targeted with email messages that contain tracked URLs. In Figure 3, we see two different malicious URLs, each one with a different kind of “token” or “tracking parameter”, demonstrating the fraudsters’ skills and modus operandi.

The emails above highlight how the phishing sites spread, as well as key details of the emails, such as persuasive messaging and catchy email subjects.

These tracking tools are not always implemented, but, when they are, they allow attackers a better view of potential victims. Fraudsters can study their profiles, habits, needs, and common patterns to find the best way to spread a threat. This is where a tracking method becomes useful in determining information such as the email addresses that received the message and accessed the malicious content, the web browser used to open the attack, the number of clicks that users made, the victim’s location, etc. Using all this data, an attacker can easily segment their victims and boost their strategy for a successful malicious campaign.

URL Tracking Systems
Figure 4. Extracted information from a real attack, which tracks users during the distribution stage

Figure 4 shows a graph that demonstrates the information received from the analysis of an attack in Brazil in which the attackers gained information from users. We can see that the data extracted allows the fraudsters to easily determine victims’ use of web browsers so they can prioritize browsers for vulnerabilities exploitation.

Finally, after the end user has been deceived, attackers apply metrics and statistics to their campaigns. Fraudsters generally build reporting tools directly into their creations to gather information about the affected end customers, the state of their machines, location, and reports with the stolen information. For example, Figure 5 shows the main screen of the Zeus banking Trojan, which presents a brief review of the botnet’s status. By adding an extra layer to track the effectiveness of the actions taken during the distribution of any malicious material, attackers can glean a lot more information about the targeted public, usage trends, and habits, which in turn can be used as direct feedback to improve further actions.

URL Tracking Systems
Figure 5. Fragment of the control panel of the banking Trojan Zeus

Conclusions

  • Using tracking tools during the distribution stage of any malicious content allows fraudsters to measure the effectiveness of their campaigns and use this knowledge to improve their fraud strategies.
  • Next time you access a link embedded in a suspicious email, be aware that you could be giving fraudsters more information than you think.
  • Though email campaigns seem quite simple to run, their design reveals well-organized group behavior. It is evident that they are measuring their Return on Investment (ROI), as is done in the largest legally established companies.

Recommendations

Always verify the sources of any received document, in case you find something suspicious (badly written emails, generic messages, or information that doesn’t match your profile), and install antivirus solutions to double check any downloaded file. Never accept the execution of any software if you didn’t start it. Never trust unknown email sender addresses.

Secure your customers by implementing email domain validation techniques that protect them from company impersonation. This will also allow you to improve your email domain reputation.

Leave a Reply

Your email address will not be published. Required fields are marked *