Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Been observing rampant phishing activity targeting people of Ukraine offering Visa as bait.

Links formatted particularly like this are being forwarded inside emails/chat:

https://evisa.mfa.gov.ua:login@%6D%61%6C%69%63%69%6F%75%73%2E%73%69%74%65

A quick glance will convince any user that the link will lead you to the login portal of https://evisa.mfa.gov.ua. But it won't. Clicking the link in the browser will lead you to the domain https://malicious.site.

Why? A root URL format looks like this (as defined in RFC 1808, Section 2.1):

<scheme>://<username>:<password>@<host>:<port>

This is a fairly well-known technique in phishing where the domain is hex-encoded. Breaking down the components:

  • https - protocol / scheme
  • evisa.mfa.gov.ua - username
  • login - password
  • malicious.site - website (hex encoded - this is where you will be redirected to)

Proof of Concept: https://evisa.mfa.gov.ua:login@%6D%61%6C%69%63%69%6F%75%73%2E%73%69%74%65
Try hovering over the link and observe the URL displayed at the bottom of your screen.

Browsers like Firefox will warn you if you try to paste and open the link. But clicking on HTML embedded URLs will lead to redirection.

2 simple rules to stay safe:

  • Don't trust random people/emails with links.
  • Always hover over the link first to see the destination address.

Be careful out there!

To read more on URL formats: https://stackoverflow.com/a/53993037/8961316

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment