How Phishing Happens: Know Your Enemy: (URL Concealment or Obfuscation Attacks)

The key for a phisher’s success is to fool users to follow a URL – found in an email; a banner ad or one of those many ways discussed here and elsewhere – and lure them into spewing out information for an attacker’s malicious use. Unfortunately, the phishers have a mind-boggling array of tools and techniques at their disposal to lure you into clicking those links. One of the main ways of doing that is to obfuscate URLs.

The Obfuscation (concealment) is done using an almost never ending resource of tools and techniques that the attackers can employ to dupe the users into clicking away on that “if-you-want-it- come -click-me” link. Discussed below are a few of the methods that are usually used by the attackers (although some of them are losing their prominence, thanks to increasing user knowledge)

Mis-spelt Domain Names

It is easy to register and own domain names today at minimal cost, hence this is one of the most commonly employed tactics for attackers. Purposefully, bad domain names are registered – citibank.com becomes www.sitibank.com or even www.citibank.org. Sometimes, the domain names have add-ons that can be used to render even more sense to the user. It can be done, for instance, an attacker purporting to be Citibank sends you a link about Christmas shopping specials and then using a domain like christmasspecials.citibank.com ( looks more realistic and believable, doesn’t it? )

Now, phishers can actually dabble with the Citibank Domain Name variations in a million ways and you might even come up with a few more examples such as hackerprooflogin.citibank.com or mybanking.citibank.com or privatebanking.sitibank.com. If you aren’t careful, you might just think of clicking on the deceptively named bank twin- who is out to get your financial details.

Using Friendly URLs

Another deceptive technique used by phishers is the usage of friendly URLs which scream “Click me”. Most browsers now come with an ability to display addresses with your username and password in them with the @ sign. For instance, you can have ftp://username:password@ftp.cse.ohio-state.edu but it can be made into something like http://www.attackedbank.com. Most browsers have removed their support to this sort of URL coding within them as a move towards fighting Phishing.:ebanking@evilsite.com/loginpage.htm

Using IP Addresses

Most of the phishers use an IP address instead of using the actual domain name. Check out the case of Google, for instance:

Normal address: https://www.google.com

Dotted address: https://64.233.167.99

Dot-less address: https://1089054568

Phishers generally use the IP address (of a site they own, and all that changes within the URL’s IP address is one of the numbers) and push it into an email or a hyperlink. Since you have no clue as to what the right IP address of any site is, you would click on, nonetheless.

How to Prevent ORL Obfuscation and URL Concealment Attacks?

Follow some great tips on how to avoid getting phished.

  • Refuse to click on anything that doesn’t look like a properly formatted URL to you.
  • Install and run Internet Security Software (most anti-virus packages have these versions) which provides pro-active defense and an adequate banner ad control.

Images

URL Obfuscation example
URL Obfuscation example

Related Resources

A series of other informative articles have been published about phishing. Together, all of these articles along with detailed enunciation of each of the attack types or vectors as they are technically called should arm you against any possible breach of security. Please see below

>>>>Phishing

>>>>History of Phishing

Common types of attacks that you should know

>>>>Phishing Delivery Mechanisms: Know Your Enemy (Man In the Middle Attacks) – Part 3