Menlo Security kündigt strategische Partnerschaft mit Google an
Icon Rounded Closed - BRIX Templates

Legacy Reputation URL Evasion (LURE)

Legacy Reputation URL Evasion (LURE) attacks evade web filters that attempt to categorize domains based on implied trust.


What is Legacy Reputation URL Evasion (LURE)?

Legacy Reputation URL Evasion (LURE) attacks evade web filters that attempt to categorize domains based on implied trust. The attackers compromise poorly secured websites that are already trusted by commonly deployed security systems and use them to serve up malware or steal user credentials. The rise of LURE attacks is startling, increasing by more than 950 percent within the past two years according to the Menlo Labs research team. Without proper visibility and control into the browser, this highly evasive and adaptive threat will continue to be successful and impact end users.

How do LURE attacks work?

Threat actors can easily find vulnerabilities in site builders such as WordPress, then exploit a large number of these websites and use techniques like SEO (search engine optimization) poisoning to increase the prominence of their malicious websites. SEO poisoning uses a variety of techniques, such as typosquatting on popular terms or keyword stuffing, to ensure that the malicious websites occur high in search engine rankings, where the highest volume of victim clicks are likely to occur.

These campaigns typically last a short amount of time, usually only a couple of days, by which time the categorization of the website has been changed to malicious by traditional security solutions. This is the essence of a highly evasive and adaptive threat; the LURE site was groomed and evade detection subvert its intended targets, but once detected, the threat actor can adapt and use the next LURE site that was incubating to mount a similar attack to the next unsuspecting victim.

For smaller targeted attacks, threat actors may even go as far as patiently creating new websites that are well behaved for a matter of time until the web crawlers of most categorization engines have identified them and categorize them as benign. At this point, attackers will then spearphish their intended victims, drawing them into these websites that were already weaponized with malicious content.

If a campaign includes the distribution of a malicious file, hosting this file on a trusted collaboration service such as Discord, Google Drive or Box will likely be effective against security that relies on website reputation to prevent access to malicious websites.

Another semi-psychological technique is the use of CAPTCHAS. These security barriers are sometimes used by threat actors to mislead users into thinking the site is highly secured, when in reality that is far from the truth. Indeed, many sites use CAPTCHAS to protect themselves against API bots, however, placing CAPTCHA in front of a website also blocks web categorization crawlers from crawling the site and blinds web filtering and URL reputation solutions to the actual web content. Threats actors use CAPTCHAS to hide their true site nature from such categorization crawlers.

HEATcheck security assessment

Is your organization susceptible to highly evasive and adaptive threats? Find out.

What makes organizations susceptible?

Highly evasive and adaptive threats, including LURE techniques, are constantly evolving, thwarting traditional network security because it has no visibility into the activity occurring within the browser. This is why they’re such potent threats. Traditional security solutions, such as web proxies and firewalls, primarily check for suspicious attachments or anomalous traffic based on existing signatures and patterns of known threats. The increase in remote work and hybrid environments also make users and organizations more susceptible to highly evasive threats. Phishing and social engineering is becoming more frequent and being used to trick individuals, luring them to seemingly benign websites that are convincing to users.

How do I prevent LURE attacks?

In order to effectively counter LURE attacks and other evasive threats targeting the browser, enterprises should prioritize preventive measures, such as a cloud-based Browser Security solution, to help enhance existing layers of security. Browser Security solutions can be used to provide visibility and control inside the browser and offer insight into browser-specific behaviors that detection-based approaches may overlook. It is crucial for organizations to promptly recognize and thwart evasive attacks in real-time, requiring security teams to implement dynamic policy enforcement directly within the browser. Similar to how threat actors constantly adapt their tactics, enterprises must employ adaptive security controls that can actively enforce defense mechanisms within the web browser. This proactive approach is key to preventing undetectable threats from compromising devices, users, and sensitive data.