An LDAP injection is an attack that exploits vulnerable Web-based applications that construct LDAP statements based on user input. If a program fails to sanitize user input, attackers can modify LDAP statements using a local proxy. That could let them execute arbitrary commands, such as granting permissions to unauthorized queries and content modification inside the LDAP tree.
An LDAP injection attack often uses the same exploitation techniques employed in SQL injection attacks.
Read More about “Obfuscated URL”
Obfuscating URLs can be created in several ways, most commonly by using misspellings. As a further step, cybercriminals typically replace characters in a legitimate company URL with look-alike characters.
How Do Cybercriminals Create an Obfuscated URL?
There are three common ways attackers obfuscate URLs, namely:
- Shortening: A popular URL shortener is bit.ly, and anyone can use it even free of charge. URL shortening isn’t always bad. In fact, it was created to make URLs shareable on social media like Twitter, which imposes character limits. Cybercriminals began using URL shorteners, however, to turn a long URL, such as “https[:]//www[.]techslang[.]com/definition/what-is-adversarial-search/,” into something like “http[:]//bit[.]ly/3xcx59Q” to weaponize or use it in their phishing campaigns.
- Doppelganging: A far more common URL obfuscation technique is creating a look-alike. These days, cybercriminals rely most on using Cyrillic characters instead of their English letter counterparts in URLs. This development was made possible with the implementation of internationalized domain names (IDNs), which allowed the use of non-English characters in URLs. An example would be the URL “https[:]//www[.]pаypаl[.]cоm/us/hоmе.” While it sure looks like the legitimate PayPal homepage URL, it isn’t. It uses the following Cyrillic characters in place of their English alphabet counterparts.
|Cyrillic Character||English Equivalent|
|а (ah in Russian)||a|
|о (oh in Russian)||o|
|е (yeh in Russian)||e|
If you access the legitimate and look-alike PayPal homepage URLs, you’ll get these.
Screenshot of the real PayPal homepage URL https[:]//www[.]paypal[.]com/us/home
Screenshot of the PayPal homepage look-alike URL https[:]//www[.]pаypаl[.]cоm/us/hоmе
While they look so much alike when viewed using the naked eye, they clearly aren’t, and cybercriminals can easily host a phishing page targeting PayPal on the URL doppelganger.
- Redirecting: Vulnerable websites that support redirection are the usual victims of this technique. Cybercriminals compromise the site and add redirects to specific pages to lead visitors to their malicious web pages. If you visit your bank’s site that has been injected with a redirect like “http[:]//bank[.]com/redirect[.]php?url=http[:]//fakebanksite[.]com,” you will end up on http[:]//fakebanksite[.]com instead of http[:]//bank[.]com.
Can You Avoid the Perils That an Obfuscated URL Poses?
While it’s pretty hard to spot obfuscated URLs no matter how good your eyesight is, there are still ways to avoid suffering the repercussions they pose. Here are some best practices.
- Use a password manager: Many password managers are free. None of them can be tricked into entering a password into a malicious site, even if they look like the real deal. Even you, in fact, may never know your own password.
- Use multifactor authentication (MFA): Even if cybercriminals manage to get your username-and-password combination, they still won’t be able to access your account if they don’t have your MFA device. They can’t obtain the code sent to your mobile phone, for instance.
- Use a security solution: Many if not all of today’s cybersecurity solutions have built-in features to block user access to malicious URLs. So long as they detect the obfuscated URL as malicious, you won’t be able to access or even get redirected to the page it hosts.
Obfuscated URLs have definitely given cybercriminals a means to trick more users into visiting their specially crafted look-alike pages, but they aren’t unavoidable, as this post shows.