Monday, June 25, 2007

Pay Close Attention To The URL's In Your E-mails

By Coenraad De Beer

More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.

I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.

The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called www.example.com. This is the top-level domain. They use the sub-domain www.secure.example.com for their online banking application ('secure' is a sub-domain of example.com, also owned and administered by Example Bank).

Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be https://www.secure.example.com. Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.

Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this: https://www.secure.example.com/login/loginpage.php

Variations
Scammers try to fool users by using variations of well-known URL's. If we change our URL to https://www.secure.example.invalid.com/login/loginpage.php, then we are no longer referring to the online banking website of Example Bank, but the website invalid.com. The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.

Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.

People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like example.org, example.info or example.co.uk to launch phishing attacks on clients of example.com. However this will not fool the informed and observant client.

It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as VVesternunion.biz. Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as sterlingonlinebanking.com but the actual URL pointed to sterlingonlinebenking.com. This is quite a long domain, so one can easily fail to spot the small difference in spelling.

Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.

Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.

As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.

No comments: