Search This Blog

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign

The methodology employed is different from the more typical modus operandi of registering domains with hosting providers.


Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while,, and were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.
Share it:

Cyber Attacks

Malicious Campaign

Phishing Campaign

Reverse Tunnels

URL Shorteners