Link Manipulation & Domination: How Hackers Trick Billionaire Executives into Downloading Ransomware

13 min readMay 20, 2024

Advanced Link Manipulation Techniques: Unveiling the Hidden Dangers

Hello everyone, this is SH from SimplerHacking.

With all of the articles I write and the long courses I make, I always try to explain the context of whatever we are doing/learning.

If find this topic interesting so I thought I would write an entire article about it. Hopefully you can learn a thing or two here.

Context: As technology continues to advance at an exponential rate, so do the techniques employed by malicious actors to deceive and exploit unsuspecting users. Tactics have become so sophisticated that even individuals with the highest of IQ points still get tricked without even knowing it.

In this comprehensive research blog post, we will delve into the intricacies of link manipulation, exploring the various methods used by advanced attackers and the potential consequences of falling victim to these deceptive practices.

Understanding the Anatomy of a URL

Before we dive into the complexities of link manipulation, it is essential to understand the basic structure of a URL (Uniform Resource Locator).

A typical URL consists of several components:

1. Scheme:

The scheme indicates the protocol used to access the resource, such as HTTP or HTTPS. In modern browsers, HTTP-only websites are flagged as insecure, as the traffic between the user and the website is unencrypted, making it vulnerable to interception and eavesdropping.

2. Subdomain:

The subdomain is an optional part of the URL that precedes the domain name. It can be used to organize and segment different sections of a website. For example, “mail.example.com” and “blog.example.com” are subdomains of the main domain “example.com”.

3. Domain:

The domain is the primary identifier of a website. It is the core part of the URL and is typically purchased from a domain registrar. Examples of domains include “google.com”, “facebook.com”, and “amazon.com”.

4. Top-Level Domain (TLD):

The TLD is the last part of the domain name, such as “.com”, “.org”, or “.net”. It indicates the purpose or the organization behind the website. It is crucial to note that a domain with a different TLD can be owned by a completely different entity, even if the domain name appears similar.

5. Path and Query Parameters:

The path and query parameters follow the domain and TLD, separated by a forward slash (“/”). They provide additional instructions to the website, specifying the exact resource or page to be accessed. While these components are essential for navigating within a website, they are not the primary focus when it comes to link manipulation.

Level 1: Basic Link Manipulation

Basic Link Manipulation Techniques At the most fundamental level, link manipulation involves the use of deceptive domain names and subdomains to trick users into believing they are visiting a legitimate website. Attackers employ various techniques to achieve this:

Subdomain Spoofing: In this technique, attackers create a subdomain that mimics a well-known brand or service. For example, an attacker might register the domain “evil.com” and create a subdomain called “msn”, resulting in a URL like “msn.evil.com”. At first glance, users might mistake this for an official Microsoft website, when in reality, it is controlled by the attacker.

Typosquatting: An Attacker’s Favorite Tool

Typosquatting, also known as URL hijacking, relies on common typing errors made by users. Attackers register domain names that are slight variations of popular websites, capitalizing on mistakes such as missing or extra characters, or replacing characters with visually similar ones. For instance, “microsotf.com” (missing the letter “f”) or “microso0ft.com” (replacing the letter “o” with the number “0”) could be registered by an attacker to deceive users.

Everyone knows this, its pretty basic in the context of cyber attacks.

“Just checking the URL” is no longer that simple, companies use a shit ton of subdomains for services.

Just by navigating to Google’s login screen, you see how many URLs & Domains are being utilized. It’s hard to tell what’s legit anymore.

Tools like DNStwist (Native Kali Linux) allow you to generate 1000s of similar domains instantly.

Combo Squatting: Combo squatting combines subdomain spoofing and typosquatting techniques. An example of this would be “microsoft.evil.com.example.com”, where the attacker creates a multi-level subdomain that appears to be associated with the legitimate Microsoft domain but is actually controlled by the owner of “example.com”.

This is one of the most popular tools for domain generation.

Level 2:

IP Address Obfuscation:

In more advanced cases, attackers may leverage IP address obfuscation to conceal the true destination of a link. Every website is hosted on a server with a unique IP address, which is translated from the domain name by the Domain Name System (DNS). Attackers can manipulate links by replacing the domain name with its corresponding IP address, making it harder for users to recognize the true nature of the website.

You can use free tools like Bobby-Table’s IP-Obfuscator to easily do this.

IP addresses can be represented in different formats, such as the traditional dotted-decimal notation (e.g., 192.0.2.1), hexadecimal format, or even the newer IPv6 format, which uses colons and hexadecimal digits. By obfuscating the IP address, attackers can bypass domain-based security measures and make it challenging for users to identify the actual destination of the link.

IP Obfuscator is a simple tool written in python to convert an IP into different obfuscated forms. This tool will help you to obfuscate host addresses into integer, hexadecimal or octal form.

Level 3:

Exploiting Top-Level Domains (TLDs) As the number of available TLDs continues to expand, attackers have found new opportunities to deceive users. By registering domains with deceptive TLDs, attackers can create convincing phishing websites that closely resemble legitimate ones.

Malicious URL below appears nearly the same from the legitimate URL:

Evil URL
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

Legit URL https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

In an email client, we could make it even more convincing, and change the size of the @ operator to a size 1 font, that makes it visually non-existent for the user, but still present as part of the URL!

And Boom! Our Malware.exe file literally just got downloaded from the registered evil URL. It’s that easy.

For example, an attacker might register the domain “google.tech” to impersonate the popular Google Docs service, which uses the domain “docs.google.com”. Similarly, if a “.docs” TLD becomes available in the future, an attacker could potentially register “google.docs” to create an even more convincing phishing domain.

After Google announcement, .ZIP attacks exploded.

Furthermore, attackers can exploit subdomains offered by legitimate services to host malicious content. Platforms like Cloudflare and Azure provide subdomains such as “pages.dev” and “.azurefd.net”, respectively, which can be used by attackers to create seemingly trusted links. For instance, an attacker could register “microsoft-login.pages.dev” to impersonate a Microsoft login page, leveraging the credibility of the Cloudflare subdomain.

Level 4:

URL Obfuscation and Homograph Attacks URL obfuscation techniques take link manipulation to a more sophisticated level. Attackers employ various methods to conceal the true destination of a link, making it difficult for users to detect any suspicious activity.

URL Obfuscation

Homograph Attacks:

One common technique is the use of the “@” symbol in the URL. When a URL contains an “@” symbol, the text before the “@” is disregarded, and the actual domain being visited is the one that follows the symbol. For example, in the URL “https://www.amazon.com@evil.com", the user is actually visiting “evil.com” and not “amazon.com”.

an AI Homograph Attack Generator (Proof of Concept)

Homograph attacks are another technique that relies on the use of visually similar characters. Attackers can replace certain characters in a legitimate URL with ones that look almost identical but have different underlying Unicode values. For instance, the letter “a” (U+0061) can be replaced with the Cyrillic letter “а” (U+0430), which looks the same but is a different character. This technique can be used to create a visually indistinguishable URL that leads to a malicious website.

Let's look at an example of a domain name.

washingtonpost.com

vs

wаshingtonpost.com

Can you tell the difference? Well, let's translate both of these to purely ASCII:

washingtonpost.com

vs

xn--wshingtonpost-w1k.com

Level 5:

Ok this is where things get out of control.

Short URL Services and Redirection Chains Short URL services, such as Bitly and TinyURL, have become increasingly popular due to their ability to condense long URLs into shorter, more manageable links.

Imagine you want to share an interesting Amazon item like the “Archie McPhee Tin Foil Hats for Conspiracy Cats.”

The original URL you’d need to share is quite long and looks weird:

https://www.amazon.com/Archie-McPhee-Foil-Hats-Conspiracy/dp/B07C169XZT/ref=asc_df_B07C169XZT/?tag=hyprod-20&linkCode=df0&hvadid=241981090934&hvpos=1o2&hvnetw=g&hvrand=1444417195024070507&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9011683&hvtargid=pla-457215596399&psc=1

To make this easier, you can use a URL shortener like bit.ly. Simply paste the long URL into bit.ly, click “Shorten,” and you’ll get a much more manageable link:

https://amzn.to/2Re4EN1

The shortened link doesn’t look as weird right?
Much better than that long ass string above.

This shortened link achieves the same goal, directing users to the Amazon item, but it’s much easier to share and doesn’t look like a long elaborate string in syntax.

If this was used for say a malicious purpose, that’s how it would work.

However, attackers can exploit these services to obfuscate the true destination of a link and evade detection by URL analysis tools.

Here are the top 10 most currently abused URL shorteners according to SURBL:

bit.ly
bit.do
ow.ly
goo.gl
x.co
rebrand.ly
tinyurl.com
t.co
is.gd
ht.ly

Honorable Mentions:

app.link
cutt.ly
clck.ru
soo.gd
we.tl
1drv.ms

A phishing email and the shortened URL redirects to a Suntrust credential harvesting page.

When a user clicks on a shortened URL, they are redirected to the original long URL. Attackers can take advantage of this redirection process by creating a chain of redirects, making it difficult to trace the final destination. They can combine short URLs with the previously mentioned techniques, such as URL obfuscation and homograph attacks, to create highly deceptive links.

Depending on the speed of the user’s internet connection, once the link is clicked the redirection happens within a millisecond. Making impossible to catch what actually just happened to the untrained eye.

The attacker is using Bitly’s service to not raise any red flags. Once the link is clicked the redirection is instant.

Moreover, attackers can use JavaScript and other client-side scripting techniques to manipulate the redirection process further. By crafting malicious scripts, they can dynamically change the destination URL after the initial redirection, making it even harder for security tools and users to detect the true nature of the link.

Understanding JavaScript

JavaScript is a versatile and widely-used programming language in production environments. It enables developers to create dynamic and interactive content for websites and web applications. As a client-side scripting language, it runs directly within a user’s web browser, making web pages more responsive and enhancing the web experience.

JavaScript can:

Manipulate HTML elements.
Control the Document Object Model (DOM).
Interact with other web technologies (such as CSS).

These functions provide rich user interfaces, form validation, and dynamic content updates.

The language has become an essential component of modern web development due to its flexibility, ease of use, and compatibility with various platforms. In fact, according to the 2022 Stack Overflow Developer Survey, JavaScript has been the most popular programming language among developers for the tenth consecutive year.

Python is still better. :)

Anyways, to better understand JavaScript’s role in web applications, it is helpful to familiarize yourself with the browser’s developer console. This built-in tool in web browsers allows you to inspect, debug, and analyze the HTML, CSS, and JavaScript code running on a web page.

To access the developer console in your browser, follow these steps:

For Chrome: Press Ctrl + Shift + J (Windows/Linux) or Cmd + Opt + J (Mac).
For Firefox: Press Ctrl + Shift + K (Windows/Linux) or Cmd + Opt + K (Mac).
For Safari: Press Cmd + Opt + C (Mac) after enabling the Develop menu in Safari’s preferences.
Right-click and select the “Inspect” or “Inspect Element” option in all browsers.

The developer console provides various tabs and panels for different purposes, such as:

Elements (or Inspector): Inspect and modify the HTML and CSS of a web page.
Console: Execute JavaScript commands and view error messages or logs.
Sources (or Debugger): Debug JavaScript code using breakpoints and step-by-step execution.
Network: Monitor network requests and analyze performance bottlenecks.

By exploring the developer console, you can gain insights into how JavaScript interacts with other web technologies and learn to debug and optimize your web applications or search for vulnerabilities.

This is just a simple way to move stuff around on the website’s page.

Weaponizing Javascript can be fun and rewarding.

The Consequences of Link Manipulation:

Falling victim to link manipulation can have severe consequences for both individuals and organizations.

You know all these already but:

Phishing and Credential Theft: Deceptive links can lead users to fake login pages designed to steal their credentials. Once an attacker obtains a user’s login information, they can gain unauthorized access to sensitive accounts, compromising personal and financial data.

Tools like **EvilGoPhish3** use these tactics to bypass MFA security. You can learn more on these tools: **HERE**

Automatic Malware Installation: Manipulated links can redirect users to websites that host malicious software, such as viruses, trojans, or ransomware. By inadvertently downloading and executing these malicious files, users can compromise the security of their devices and networks.

Remember that time you tried to download that free PC game and then your computer suddenly got all slow…

That shit was Malware.

Financial Fraud: Attackers can use link manipulation techniques to create convincing phishing websites that mimic legitimate banking or e-commerce platforms. By tricking users into entering their financial information, attackers can conduct fraudulent transactions and steal funds.

Reputational Damage: For organizations, falling victim to link manipulation can lead to reputational damage. If customers or clients are deceived by malicious links associated with the organization’s brand, it can erode trust and credibility, potentially leading to loss of business and revenue.

Mitigation Strategies To protect against link manipulation attacks, both individuals and organizations can employ several mitigation strategies:

User Education and Awareness: Educating users about the risks of link manipulation and teaching them to identify suspicious URLs is crucial. Users should be encouraged to verify the authenticity of links before clicking on them, especially if they are received from untrusted sources or contain unusual characters or subdomains.
URL Analysis Tools: Implementing URL analysis tools that can detect and flag potentially malicious links can help prevent users from accessing deceptive websites. These tools can examine the structure and components of a URL, comparing them against known patterns and blacklists to identify suspicious activity.
Multi-Factor Authentication (MFA): Enabling MFA adds an extra layer of security, even if a user’s credentials are compromised through link manipulation. By requiring additional factors, such as a one-time code or biometric verification, MFA can prevent unauthorized access to sensitive accounts.
Domain Monitoring: Organizations should actively monitor their domain names and variations to identify any suspicious registrations or subdomains that could be used for link manipulation. By proactively identifying and taking action against malicious domains, organizations can reduce the risk of their brand being exploited.
Browser Security Features: Modern web browsers offer built-in security features that can help detect and warn users about suspicious URLs. Ensuring that browsers are kept up to date and have these security features enabled can provide an additional layer of protection against link manipulation attacks.
Shortening Service Verification: When encountering shortened URLs, users should employ URL unshortening services to reveal the original long URL before proceeding. However, it is essential to remain cautious even after unshortening, as attackers can still employ techniques to conceal the true destination.

AI has led to the creation of many tools that can unshorten and find malicious URLs automatically. Find it **HERE**

Conclusion

Link manipulation poses a significant threat to online security, as attackers continually evolve their techniques to deceive and exploit unsuspecting users. By understanding the various levels of link manipulation, from basic subdomain spoofing to advanced URL obfuscation and redirection chains, individuals and organizations can better protect themselves against these malicious practices.

Implementing a combination of user education, technical controls, and proactive monitoring is essential to mitigate the risks associated with link manipulation. By staying vigilant and adopting a multi-layered approach to security, we can create a safer online environment and reduce the impact of these deceptive tactics.

If you work in Red Teaming or Penetration Testing and want to learn how to use these tactics and combine them for Ransomware & Phishing engagements, I suggest checking out EvilGoPhish Mastery (2024). It’s mainly for Advanced users though.

Check out the course: HERE