"Evasive Phishing Mixes Reverse Tunnels and URL Shortening Services"

Security researchers have observed an increase in the use of reverse tunnel services, as well as URL shorteners, for large-scale phishing campaigns, making it more difficult to detect and stop the malicious activity. This practice differs from the more common practice of registering domains with hosting providers, who are more likely to respond to complaints and remove phishing sites. Threat actors can use reverse tunnels to host phishing pages locally on their own computers and route connections via the external service. Using a URL shortening service, they can generate new links as often as they want and evade detection. Many of the phishing links are refreshed in less than 24 hours, thus making tracking and taking down the domains more challenging. Researchers at the digital risk protection company CloudSEK have seen an increase in phishing campaigns that combine services for reverse tunneling and URL shortening. According to a report shared by the company, over 500 sites were discovered being hosted and distributed this way. CloudSEK found that the most widely abused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare's Argo. They also noticed an increase in the use of URL shortening services such as Bit.ly, is.gd, and cutt.ly. This article continues to discuss the increased use of reverse tunnel services and URL shorteners in phishing campaigns. 

Bleeping Computer reports "Evasive Phishing Mixes Reverse Tunnels and URL Shortening Services"