The key for a phisher’s success is to fool users to follow a URL – found in an email; a banner ad or one of those many ways discussed here and elsewhere – and lure them into spewing out information for an attacker’s malicious use. Unfortunately, the phishers have a mind-boggling array of tools and techniques at their disposal to lure you into clicking those links. One of the main ways of doing that is to obfuscate URLs.
The Obfuscation (concealment) is done using an almost never ending resource of tools and techniques that the attackers can employ to dupe the users into clicking away on that “if-you-want-it- come -click-me" link. Discussed below are a few of the methods that are usually used by the attackers (although some of them are losing their prominence, thanks to increasing user knowledge)
Mis-spelt Domain Names
It is easy to register and own domain names today at minimal cost, hence this is one of the most commonly employed tactics for attackers. Purposefully, bad domain names are registered – citibank.com becomes www.sitibank.com or even www.citibank.org. Sometimes, the domain names have add-ons that can be used to render even more sense to the user. It can be done, for instance, an attacker purporting to be Citibank sends you a link about Christmas shopping specials and then using a domain like christmasspecials.citibank.com ( looks more realistic and believable, doesn’t it? )
Now, phishers can actually dabble with the Citibank Domain Name variations in a million ways and you might even come up with a few more examples such as hackerprooflogin.citibank.com or mybanking.citibank.com or privatebanking.sitibank.com. If you aren’t careful, you might just think of clicking on the deceptively named bank twin- who is out to get your financial details.
Using Friendly URLs
Another deceptive technique used by phishers is the usage of friendly URLs which scream “Click me". Most browsers now come with an ability to display addresses with your username and password in them with the @ sign. For instance, you can have ftp://username:firstname.lastname@example.org but it can be made into something like http://www.attackedbank.com. Most browsers have removed their support to this sort of URL coding within them as a move towards fighting Phishing.:email@example.com/loginpage.htm
Using IP Addresses
Most of the phishers use an IP address instead of using the actual domain name. Check out the case of Google, for instance:
Normal address: http://www.google.com
Dotted address: http://18.104.22.168
Dot-less address: http://1089054568
Phishers generally use the IP address (of a site they own, and all that changes within the URL’s IP address is one of the numbers) and push it into an email or a hyperlink. Since you have no clue as to what the right IP address of any site is, you would click on, nonetheless.
How to Prevent ORL Obfuscation and URL Concealment Attacks?
Follow some great tips on how to avoid getting phished.
- Refuse to click on anything that doesn’t look like a properly formatted URL to you.
- Install and run Internet Security Software (most anti-virus packages have these versions) which provides pro-active defense and an adequate banner ad control.