Phishing Attacks From Link Unfurling

November 09, 2021

Return to Learning Center

Phishing attacks can even be directed from legitimate sources with HTTP header manipulation. Always use caution when clicking links: even when you think it's from a legitimate source and see a link preview that looks genuine.

In many modern apps, from Twitter and WhatsApp to Facebook and Slack, whenever you copy/paste a link to a friend or co-worker, the link will often have a small preview box that provides a thumbnail preview image of the page along with a small description gathered from the site's meta tags used to describe the page to search engines. This process is referred to as unfurling a link.

While this user-interface practice can have a significant benefit for user-experience as the message receiver can figure out where a link leads before deciding to tap it, this unfurling can theoretically lead to a nightmarish phishing attack. Phishing attacks are attempts to fool people into trusting a malicious site that might be designed by a bad actor to trick you into logging in with a bank password so they can grab it and are a reason why you should always use multi-factor authentication (MFA) when possible. Phishing attacks are one of the reasons that privacy issues on the dark web are so endemic.

Computer Security Experts such as Harry Denley have recently written about how a flaw in Twitter's process through a clever use of HTTP headers can lead to a user being tricked about where a link leads. Harry writes, "Twitter unfurls the domain on their server side and attaches a HTTP_USER_AGENT to the request. You can write some simple server-side code on your link to check if this value contains twitter and if it does, fire off a Location: x header. If the HTTP_USER_AGENT header does not include twitter, then I redirect to this page. I then tweet the full domain (ie: https://twitter-unfurl-faker.herokuapp.com/) from a burner account and copy twitters shortened link to that domain through t.co. By default, this link contains ?amp=1, so if you tweet the link with this query string, it will show you https://twitter-unfurl-faker.herokuapp.com/ in the Tweet. All the bad actor has to do now is remove ?amp=1 from the tweet and you get something like that looks like this on Twitter, fooling pretty much everyone."

What is the moral of this story? Everybody who wants to stay safe has their work cut out for them. Programmers have to be particularly cautious about their best practices when designing systems to examine links that users submit. And every user needs to be cautious about tapping any link they receive: it might not be what it appears even if a mega-corporation tells you it's safe. One of the most important rules of firearm safety is to always assume that a gun is loaded, and you should similarly also assume that a link you see might also be dangerous. Phishing attacks can be problematic when it comes to corporate espionage or attacks to crack your PayPal account, but as technical innovations in cryptocurrency means that vast sums of wealth can effectively be stored within browser plugins like Metamask, one accidental wrong click can trick you into transmitting your life savings with possibility of undoing the damage. That's a big deal, isn't it?

We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.