Phishing Delivery Mechanisms: Know Your Enemy (URL Concealment or Obfuscation Attacks) – Part 4
written by: Ashwin Satyanarayana•edited by: Rebecca Scudder•updated: 2/7/2012
URL Concealment, or URL Obfuscation attacks, are like Phishers hovering around like faceless, evil, hooded miscreants. They try to lure you with links and other methods which aren't really what you think they are. How does this form of attack work? What specific techniques do they use? Read on :
slide 1 of 3
The key for a phisher’s success is to fool users to follow a URL – found in an email; a banner ad or one of those many ways discussed here and elsewhere – and lure them into spewing out information for an attacker’s malicious use. Unfortunately, the phishers have a mind-boggling array of tools and techniques at their disposal to lure you into clicking those links. One of the main ways of doing that is to obfuscate URLs.
The Obfuscation (concealment) is done using an almost never ending resource of tools and techniques that the attackers can employ to dupe the users into clicking away on that “if-you-want-it- come -click-me" link. Discussed below are a few of the methods that are usually used by the attackers (although some of them are losing their prominence, thanks to increasing user knowledge)
Mis-spelt Domain Names
It is easy to register and own domain names today at minimal cost, hence this is one of the most commonly employed tactics for attackers. Purposefully, bad domain names are registered – citibank.com becomes www.sitibank.com or even www.citibank.org. Sometimes, the domain names have add-ons that can be used to render even more sense to the user. It can be done, for instance, an attacker purporting to be Citibank sends you a link about Christmas shopping specials and then using a domain like christmasspecials.citibank.com ( looks more realistic and believable, doesn’t it? )
Now, phishers can actually dabble with the Citibank Domain Name variations in a million ways and you might even come up with a few more examples such as hackerprooflogin.citibank.com or mybanking.citibank.com or privatebanking.sitibank.com. If you aren’t careful, you might just think of clicking on the deceptively named bank twin- who is out to get your financial details.
Using Friendly URLs
Another deceptive technique used by phishers is the usage of friendly URLs which scream “Click me". Most browsers now come with an ability to display addresses with your username and password in them with the @ sign. For instance, you can have ftp://username:email@example.com but it can be made into something like http://www.attackedbank.com. Most browsers have removed their support to this sort of URL coding within them as a move towards fighting Phishing.:firstname.lastname@example.org/loginpage.htm
Using IP Addresses
Most of the phishers use an IP address instead of using the actual domain name. Check out the case of Google, for instance:
Phishers generally use the IP address (of a site they own, and all that changes within the URL’s IP address is one of the numbers) and push it into an email or a hyperlink. Since you have no clue as to what the right IP address of any site is, you would click on, nonetheless.
How to Prevent ORL Obfuscation and URL Concealment Attacks?
Follow some great tips on how to avoid getting phished.
Refuse to click on anything that doesn’t look like a properly formatted URL to you.
Install and run Internet Security Software (most anti-virus packages have these versions) which provides pro-active defense and an adequate banner ad control.
slide 2 of 3
slide 3 of 3
A series of other informative articles have been published about phishing. Together, all of these articles along with detailed enunciation of each of the attack types or vectors as they are technically called should arm you against any possible breach of security. Please see below