Researchers are seeing an increase in the use of reverse tunnel services, as well as URL shorteners, for large-scale phishing campaigns, making the malicious activity more difficult to detect. This practise differs from the more common practice of registering domains with hosting providers, who are more likely to respond to complaints and remove phishing sites.

Threat actors can use reverse tunnels to host phishing pages locally on their own computers and route connections through an external service. They can avoid detection by using a URL shortening service to generate new links as frequently as they want. Many phishing links are refreshed in less than 24 hours, making tracking and removing the domains more difficult.

Service abuse

CloudSEK, a digital risk protection company, has seen an increase in the number of phishing campaigns that combine reverse tunnelling and URL shortening services. According to a report by the company, researchers discovered more than 500 sites hosted and distributed in this manner.

CloudSEK discovered that the most widely abused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare’s Argo. They also noticed an increase in the use of URL shortening services such as,, and

Services for reverse tunnelling by handling all connections to the local server where the phishing site is hosted, you can protect it. The tunnel service resolves any incoming connections and forwards them to the local machine in this manner.

The modus operandi of the phishing actors
The modus operandi of the phishing actors (CloudSEK)

Victims who interact with these phishing sites have their sensitive information stored directly on the attacker’s computer. According to CloudSEK, the threat actor masks the name of the URL, which is typically a string of random characters, by using URL shortners. As a result, a suspicious domain name is hidden behind a short URL.

Adversaries, according to CloudSEK, are disseminating these links via popular communication channels such as WhatsApp, Telegram, emails, text, or fake social media pages. It is important to note that the misuse of these services is not new. In February 2021, for example, Cyble presented evidence of Ngrok abuse. However, according to CloudSEK’s findings, the problem is worsening.

Detected cases

CloudSEK detected one phishing campaign that impersonated YONO, a digital banking platform offered by the State Bank of India.

YONO phishing site hosted locally (CloudSEK)
YONO phishing site hosted locally (CloudSEK)

The attacker’s URL was hidden behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi,” which made use of Cloudflare’s Argo tunnelling service.

This phishing page asked for bank account information, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. CloudSEK did not disclose the effectiveness of this campaign, but it did point out that threat actors rarely use the same domain name for more than 24 hours, though they do recycle the phishing page templates.

“Even if a URL is reported or blocked, threat actors can easily host another page using the same template,” according to CloudSEK. This sensitive information can be sold on the dark web or used by attackers to empty bank accounts. If the information comes from a business, the threat actor could use it to launch ransomware attacks or business email compromise (BEC) fraud. Users should avoid clicking on links received from unknown or suspicious sources to protect themselves from this type of threat. Manually typing a bank’s domain name into the browser is a good way to avoid being exposed to a fake website.