Phishing attacks are becoming increasingly sophisticated, and now cybercriminals are using advanced methods to hide dangerous links from security systems.
In a blog post by the Barracuda Threat Analysis Team, it is explained how hackers use the Tycoon Phishing-as-a-Service (PhaaS). They employ techniques such as hidden characters and fake subdomains to evade detection. The attacks are designed to deceive both humans and traditional security software.
Invisible Characters and Misleading Symbols
A notable technique is the use of invisible spaces and unusual symbols in URLs. Through codes like ‘%20’, the malicious part of the link is not detected by security scans. Symbols that look like periods but aren’t are used, or a hidden email address is added to activate redirects. This makes the link appear official and normal, but it still leads to a phishing page.
Additionally, attackers employ misleading structures, such as using ‘https’ twice. This hides the effective destination of the URL while everything looks normal. The ‘@’ symbol is also used in an internet address. Everything before that symbol is considered user data by browsers, and something trustworthy like ‘office365′ is placed there. The effective destination comes after the @ symbol and leads to the attackers’ website.
The use of unusual symbols like dollar signs or backslashes can disrupt the detection of security tools, allowing the hackers’ link to slip through the security system easily. In the screenshot below, Barracuda analysts found a URL consisting of two hyperlinks. The first part leads to an innocent domain, but the second part is part of the Tycoon phishing kit.
The conclusion is clear: cybercriminals continue to refine their techniques to outsmart traditional security. The Tycoon phishing kit is just one example of a range of new phishing techniques. The only effective defense is a layered approach, with AI-supported detection, email security, and especially awareness training for employees.
read also