February 28, 2023
min read

How ngrok Actively Combats Phishing Attacks

Russ Savage

Phishing attacks are one of the most common attacks on the internet, and ngrok is committed to actively trying to stop them.

All unauthenticated users of ngrok are blocked completely from serving any HTML content via our HTTP tunnels. Their IP addresses are included in the URL provided by ngrok, as well as in any HTTP header sent with each request. This allows anyone to know exactly what IP address is being used to investigate further if needed.

When someone registers for a free ngrok account and installs their token to authenticate to the service, they are now allowed to serve HTML traffic, but each time a user visits that URL, they are presented with a warning screen letting them know that the site is being hosted by ngrok and that they should not enter any sensitive information. This page also includes the IP address of the user hosting the content.

In addition to this interstitial page, the ngrok platform also performs fuzzy matching on HTML content for free accounts and looks for content that may indicate phishing attacks. Those accounts are automatically banned from the platform immediately.

Finally, if you see ngrok being used for phishing attacks, you should email abuse@ngrok.com right away and include the link being used in the attack. We will review and ban the account if it is found to be hosting phishing pages.

Paid ngrok accounts do not have the same restrictions as our unauthenticated and free users.

What is ngrok used for?

ngrok is an ingress-as-a-service platform used by over 6 million developers to quickly and securely put their web applications on the internet. Developers can use ngrok to easily embed connectivity into their applications. Decoupling ingress from your app’s environment ensures your app receives ingress exactly the same way no matter what environment you deploy them to: AWS, your own data center, serverless functions, CI containers, your laptop, or an IoT device.

Why do hackers use ngrok?

ngrok is incredibly simple to use. When we use the phrase “online in one line” we really do mean it. The ability to get a public URL to services running inside of a network is a difficult problem for both legitimate developers and nefarious actors to solve. We actively pursue a multi-pronged strategy to combat malicious use of our services without negatively impacting the 6 million developers that love the simplicity ngrok offers.

We have built a set of product capabilities to help protect users and customers from various attacks.

First, ngrok Enterprise customers can configure a custom domain for agents to use when connecting to the ngrok service. This allows those customers to block our default tunnel domains and only allow traffic through their preferred addresses. Users who attempt to start ngrok agents disconnected from the approved account are blocked. For more details, check out Securing your ngrok Tunnels in our documentation.

The agents can be further locked down using IP restrictions and access control lists (ACLs) so that if a token is compromised, the attacker can’t use it to start arbitrary endpoints on your account from other IP addresses.

We also include a full observability system inside the ngrok platform that allows you and your team to monitor for suspicious activity and take action to block that activity from your account.

Is ngrok a security risk?

No. When used correctly, we believe ngrok does not pose any significant threat to the security of your organization. Many companies use ngrok to secure access to applications and monitor traffic on their network. If you would like to learn more about how to secure your network applications with ngrok, please contact us.

Share this post
Russ Savage
Russ Savage is a Product Manager at ngrok focused on building amazing product capabilities for our users. He is a developer at heart and loves contributing to open-source projects when he can. He was previously building developer tools and experiences at InfluxData.