Why Should Email Users Be Aware of Percentage-Based URL Encoding?

By Enterprise Security Magazine | Friday, October 04, 2019

Percentage-based URL encoding is a new technique adopted by Phishers to escape detection by secure email gateways.

Fremont, CA: Today’s phishers are using basic percentage-based URL encoding to avoid detection by making use of Google’s ability to decode the encoded URL data. It was in mid-September when Cofense Phishing Defense Center acknowledged a phishing email that originated from a compromised email account of a famous American brand. The message had a hyperlink for a new invoice with the instruction to click on the embedded “View Invoice” hyperlink button for recipients. The actual destination of the hyperlink is hidden for untrained eye and any perimeter security device.

At a simple glance, the high-level domain for the hyperlink appears to be, which is the homepage for Google Latvia. It initially does not raise any danger with many perimeter security tools. When strictly observed, the hyperlink seems to redirect the recipient to a secondary malicious URL using Google. The first part of the URL is “hxxps://”, that instructs the web browser to use Google to query a specific URL or string. The second part is the payload, which is also a string that is encoded with basic URL encoding containing “%” followed by two hexadecimal digits in place of ASCII characters. This is sometimes referred to as percent-encoding.

Most web browsers readily accept URLs that contain hexadecimal character representations and will decode them automatically into ASCII without the involvement of the user. Thus when users click on the hyperlink contained in the email, through their browsers, they are redirected to Google to query the encoded string. This, in turn, recognizes the string as a URL and redirects the user to the final destination, which is a phishing page. It is designed in a way to steal the users’ office365 credentials, favorite target among phishing threat actors. The technique is simple enough to fool basic URL and domain checks by perimeter devices adopted by threat actors to ensure malicious payload delivery.

As this trend increases, all organizations should educate their entire workforce about the dangers of phishing using training that employs simulation and training to fight common types of phishing attacks.

Weekly Brief