Michael Horowitz
Home => Links That Lie
[Formatted for Printing] From the personal web site of  Michael Horowitz
 
Examples of Links That Lie

Executive Summary: Never trust a link in either an email message or a web page.

Note: If you view this web page while using McAfee Anti-Virus it will say the page is infected with a Trojan called URLSpoof. URLSpoof is a deceptive link in a web page or email message. It is not a Trojan. This page is full of deceptive links on purpose. They are only examples, none of them are live. This page is safe.
 

 
Phishing refers to fraudulent email messages designed to trick you into providing personal information. As part of the scam, the links in the email message do not take you where they appear to. Instead you are taken to a web site that looks real but exists on a computer controlled by the bad guys. 

If you have any reason to suspect that an email message is phony, always go directly to the sending company's web site on your own. That is, if you suspect a message that appears to be from Citibank (for example) is a scam, then verify it by typing "www.citibank.com" into your web browser. Never, ever click on the link in the email message. The rest of this page explains the ways that links are toyed with to fool you as to their real destination.  

There are four independent avenues of trickery:

  1. Using a domain name that appears to belong the company being scammed
  2. Playing technical tricks with the link (URL)
  3. Exploiting known bugs in Internet Explorer and other software
  4. And perhaps the worst of all, DNS poisoning

All are explained below.

 

Domain Name Tricks

It can be hard to know if a domain really belongs to the organization it appears to. 

For example, the television network that airs 60 Minutes owns "cbs.com". But there is no guarantee that "cbsnews.com" belongs to them too (it does) or "cbs-news.com" (it does not) or "cbstoday.com" (it does not) or "cbsnewsupdate.com" (does not yet exist). Then too, everything is not a "dot com". For example, "cbsnews.org" is not associated with the television network, even though "cbsnews.com"is.

Below are some real life scams that embed a real domain name inside a fraudulent one: 

There are many valid domain suffixes (like the ".info" above) and even large organizations, that should know better, fail to reserve all the possible suffixes leaving an opening for scammers. For example, the web site of the Wall Street Journal is wsj.com. But do the "wsj" domains with other suffixes also belong to the newspaper (or really to Dow Jones which owns the paper)?

  Domain  Legit?
wsj.netyes
wsj.infono
wsj.org no
wsj.biz no
wsj.us yes
wsj.ws not taken 

Thus, if a scammer sends you to wsj.info, for example, any data you enter into that web site goes to a man named Roman Mochejski in Poland.  


 

Some of the examples above illustrate that dashes are part of a domain name, just like letters and numbers. 

In determining who really owns a domain name, the rightmost two parts of the name are all that matters, and the only thing that determines the rightmost two parts are periods. Thus a web site name such as "www.ebay.scammer.com" is really "scammer.com" and has nothing to do with eBay. 

Should you see "payments.citibank.com" (I made this up) that would be a real address belonging to Citibank. Likewise "news.cbs.com" (I made this up too) would belong to CBS. If you purchase something from Dell's web site, the purchase is done at a URL that starts with "ecomm.dell.com" which belongs to Dell (real example).

A phishing email once used "paypal.com.login-user2719.info" to fool people into thinking they were dealing with Paypal. The actual domain in this case is "login-user2719.info" which belonged to Andrew Fischba in Fraser, CO (andrewpfischba@yahoo.com). Holly Robb of Utah (zumzum@mailmoka.ro) thought this was a great idea and used " www.paypal.com.login-user108.info" in a phishing email message a couple days later. I've also seen "paypal.signin04.com" used.

A longer example from an eBay phishing email is "verfyer-acunte-ebay-com.keymachine.de" which does not belong to an eBay verifying system but instead belongs Keyweb AG in Germany.

Again, the critical parts of the names above are "scammer.com" and "citibank.com" and "cbs.com " and "dell.com" and "login-user2719.info". Anything to the left of this is irrelevant in determining the organization that owns the name.


Another tact used by the bad guys is to substitute the letter "L" , the letter "I" or the number One to fool you about the true name of a domain. For example, instead of citibank.com (spelled correctly), they might use cltlbank.com (lower case "L") or c1t1bank.com (number one) or ClTlBANK.COM (lower case "L" very well hidden). Likewise, Payal might end with the number one ( paypa1.com) or an upper case "i"( paypaI.com ).


And, two Vs look a lot like a W. See More fake "double-V" domains popping up... from Sunbelt Software.


Yet another trick is to use a domain that looks real and make a web site that looks real, but nonetheless is fake. Take, for example, someone interested in transportation in the state of New Jersey. The real web site is www.njtransit.com.. However, there is a web site called newjerseytransit.com that appears, at first glance, to be real, but it is not. Likewise the web site deltaair.com looks like it might be Delta Airlines, but it is not. Delta's domain is delta.com now, in the early days of the Internet it was delta-air.com

And, of course, if you type a URL manually rather than using a Favorite/Bookmark, you can make a spelling mistake. People reserve common mis-spellings of popular web sites. See:

 

URL Tricks TOP

 
  1. Any link to an IP address rather than a name is suspect. For example don't trust a link such as http://218.36.71.193
    as opposed to http://www.citibank.com. Below are some real-life examples from phishing emails:

      http://213.136.120.240/.paypal/login.html 
      http://217.68.23.17/~securedphpscript.net/securedssl/ . . .
      http://211.174.185.29/pages/paypal/login.html
      http://193.201.52.175/user_id_verification~login.php/paypal/login.htm
      http://218.8.251.199/www.chase.com/software-upgrade/cmserver-users-default-confirm/index.htm
     
  2. In the examples above, all the numbers are decimal. A variation on that theme specifies the numbers in octal (base 8). When Internet-connected computers use octal as opposed to decimal numbers, they signal this fact by starting the number with a zero. Thus
      http://0105.0131.031.0307     in octal is really
      http://69.89.25.199     in decimal.
     
  3. The text displayed for the link does not have to be the real destination. For example, this link www.microsoft.com really takes you to my home page. There is no rule that the displayed text has to be the real destination. Sometimes, hovering the mouse over a link in both an email program and a web browser will display the destination of the link in the status bar at the bottom of the screen.
     
  4. I said "sometimes" above because you should never trust what is displayed in the status bar. Both web pages and email messages can use JavaScript and Dynamic HTML to make the status bar show anything they want. For example, this link www.microsoft.com that seems to be to Microsoft, really takes you to my home page, but when you hover the mouse over it the status bar, Internet Explorer will incorrectly show the link destination to be Microsoft. 
    Note: This trick does not work in Firefox where the status bar displays nothing when the mouse hovers over the link (tested with versions 1.0 through 1.5.0.5). 

    Here is a real example of this from a phishing email message: 
        <a href="http://www.uas-va.org/.suntrust/" 
        onMouseOver="window.status='https://internetbanking.suntrust.com';return true;" 
        onMouseOut="window.status=' '; return true;">https://internetbanking.suntrust.com</a>
     
    This link actually takes you to www.uas-va.org but appears to take you to internetbanking.suntrust.com. I can't be sure, but it appears that uas-va.org was also a victim in this case, their web site having been hacked and used in this phishing scheme without their knowledge.
     
  5. Normally we look at the domain name just after the "http://" to see where a link goes. There are two cases, however, where the actual destination of a link does not come immediately after the two slashes. One case involves signing on to secure web sites and providing a userid and password in the link so that they don't have to be entered manually. The other involves re-direction (see point 5 below). 

    As shown in the two URLs below, the userid and password for a secure web site or page can come immediately after the two slashes. First is the userid, then a colon, then the password, then an "at" sign, and finally the real web site address. 

    In the link below, "microsoft.com" is the userid, "windows" is the password and it really takes you to the web site at IP address 119.77.66.88 (the trick from point 1 above). No doubt many people would look at this and think they were going to Microsoft's web site. 
     
       http://microsoft.com:windows@119.77.66.88/fileabc.html

     The link below omits the password. It looks like a link to Citibank, but really takes you to www.scammerwebsite.com

     http://www.citibank.com@www.scammerwebsite.com

    What do the bad guys do with the userid and password that are embedded in links like this? Very likely they ignore them. If the web page or web site is not secure, then passwords are irrelevant. They exist just to fool you.

    A real life example: http://billing%2Eearthlink%2Enet%01%00@artcraft.or.kr/board_old/icon/Type08/

  6. The other instance where the real web site address is not after the two slashes involves re-direct services. Yahoo, Google, Citibank and, no doubt other legitimate web sites, have re-direction services that were originally intended for their own private use. I won't go into why they built these services or how they work. The crucial point, in terms of lying about the destination of link, is that when using these re-direction services, the real web page address is at the end of the link, not at the beginning. Below is an example: 

      http://rd.yahoo.com/b5y7ix88/*http://www.scammerwebsite.com/

    Yahoo's re-direct service seems to be invoked when using "rd.yahoo.com" and opposed to "www.yahoo.com" (I have no first-hand direct knowledge of how it works). The real end point is after the asterisk. Basically, the bad guys are piggybacking on Yahoo's good name - the link appears to go to Yahoo, a trusted web site, but really goes somewhere else. Later examples below show links that appear to go to Google and Citibank but really do not.

    Update. November 13, 2006. eBay also has a re-director feature that is used by scammers. It was written up in this article in the Register See eBay provides backdoor for phishers Scripting backdoor helps craft more convincing cons by John Leyden February 28, 2005. Amazingly, 1.5 years after this problem was reported to eBay, they have done nothing about it.  See eBay redirection ruse reloaded 18 month-old security flaw still remains unfixed by John Leyden in The Register November 13, 2006. Here is an example from this article 

    http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?
    RedirectEnter&partner=25047&loc=%68%74%74%70:%2f%2f%77%77%77.%67%6f%6f%67%6c%65.%63om%2f

    The above is one long URL, broken into two lines for readability. The URL takes you to Google, but it can be easily modified to send you to any web page. 
     
  7. The example below is from an actual phishing message (it is broken up into multiple lines for ease of viewing). It uses the Yahoo re-direct service (apparently a European edition) and the link is purposely long that the end of it can't be displayed in the status bar. From my testing,it seems that the data between "rd.yahoo.com" or "eur.rd.yahoo.com" and the true destination can be anything at all. The service seems to key off just the asterisk, all the rest is fluff. This link really goes to "phamrnes.com".

      http://eur.rd.yahoo.com/puc\implore\steed\referendum\gossamer\cepheus\compatible\
      missy\oathe\import\teahouse\parkish\stupefaction\continual\sectoral\tore\daugherty\
      oscar\otis\vigilante\amplify\hitchcock\apportion\bowie\downs\dam\polopony\chestnut\
      question\can't\stumpy\abalone\regional\defensible\cheeky\indefensible\placebo\
      clothesmen\bookstore\colorimeter\distortion\casebook\suffrage\cardiac\dish\
      minicomputer\bourgeois\ellwood\colby\montgomery\suppress\atlanta\refract\
      adventurous\colleague\clot\inattention\pierre\hyperbolic\orographic\
      *hTtP:\\2W04v375z81i.phamrnes.com/gp/iNdeX.ASP?id=BW
     
  8. Still another tactic that makes a link appear to go to Yahoo is shown here:

       http://yahoo.com-yahoo.com.ph/click.php?id=lxenyee

    This URL really takes you to a web site in the Philippines called "com". That is, the real link is to com.ph where the ph represents the country. Everything to left of "com.ph" is there to trick you into thinking you will be going to Yahoo and therefore trusting the link and clicking on it. 
     

  9. Another way to hide a web site address is to code it using the numeric codes for ASCII characters (don't ask). For example:

    http://%32%31%31%2E%32%38%2E%31%35%35%2E%32%31%30
        which translates to http://211.28.155.210
        and
    http://%32%34%2e%37%36%2e%38%39%2e%36%34:38/%63%69%74/%69%6E%64%65%78%2E%68%74%6D
        which translates to http://24.76.89.64:38/cit/index.htm

    These are real life examples. Avoid any web site that hides its true location this way.

    Karen Kenworthy has written a free program that converts this sort of thing back into English. See Karen's URL Discombobulator. In the October 9, 2003 edition of her newsletter, she created the example below which combines the ASCII characters trick with the userid/password trick discussed above in item 4.

    http://www.microsoft.com%40%49%77%61%6E%74%54%6F%53%74%65%61%6C%59%6F%75%72%4D%6F%6E%65%79%2E%63%6F%6D

    To the un-initiated, this looks like a link to microsoft.com but it really goes to the fictional web site IwantToStealYourMoney.com
     
  10. This following URL also combines two tricks to hide its true destination. It is another re-direct using a service from Citibank. 

      http://www.citibankonline.com/domain/redirect/
      cbna/global_nav/myciti.htm?BVP=/&M=S&US&_u=visitor&
      BVE=HT%54p%3a%2f%2fkdsass40e.com*20022%2E%64a%2eR%75

    In the actual phishing email, this was one long URL, it is displayed on multiple lines here for readability. The domain citibankonline.com really is Citibank. However, as with the Yahoo redirect service, this URL starts out at Citibank, but does not end there. Again, the real address is at the end.

    Not content with one level of indirection, these bad guys also disguised the address by specifying some of the characters (not all) using their numeric Ascii equivalent. In the URL above, what comes after BVE on the last line is really:

        http://kdsass40e.com*20022.da.ru 

    This is really taking you to the web site da.ru in Russia.
     

  11. A phishing scam web site may try to hide itself by using a non-standard port. Any computer that provides a web site is supposed to listen to requests such as "show me web page named abc.html" on port number 80. On a server computer this works all the time. However, home computers running a web server program may find that the ISP blocks all access to port 80. ISPs do this to prevent their personal customers from running a business web site out of their house. To get around the ISP blocking, a phishing web site might be set up to listen to requests on a port number other than 80 - a common alternatives are 81 and 8080. This real life URL is an example of this

    http://70.179.190.108:8080/login.personal.wamu.com/

    The computer is at IP address 70.179.190.108, another way of hiding that was already discussed. The colon means that a port number follows. The 8080 is the port number that the web server program is listening on. 
     

  12. The last example involves a Google re-direction feature.  

      http://www.google.com/url?q=http://www.google.com/url?q=http://%6a%66%6b315%67%66%67%252e
      %44%61%252e%72%75%252f?%744%72%6e%592%59%67%54%54%4f%4f%617%502%4e3%48%77

    At first glance it appears to go to Google. However, the real destination of the link is the stuff at the end that looks like garbage. It is not garbage. Karen's URL Discombobulator translates the ASCII coding at the end to: 

     http://jfk315gfg.Da.ru/?t4rnY2YgTTOOa7P2N3Hw

    The same web site as in example 8. 

    Here is another real-life example that exploits the same Google re-direction feature but is much more complicated:

    http://www.google.com/url?q=http://www.google.com/url?q=http://www.google.com/url?q=%%%3348%%374%%3
    54P://obusek93vf%%32E%%%3364a.%%372u%%32f%%3%33F1ct0r651dy75r0o1sgRWR13Eqpq5fs


    This one was so convoluted, it fooled an old version of the URL Discombobulator program. However, in March 2004 Karen Kenworthy released a new version (1.8.2) of her URL Discombobulator that can deal with this particular hiding scheme. In the March 3, 2005 edition of her newsletter, Karen discusses this in detail. It's a doozy. 

 

Browser BugsTOP

Another reason that clicking on a link in an email message may not take you to the expected web site is a bug in your web browser. Often an email program will invoke a web browser under the covers to display an HTML formatted email message, thus making it susceptible to bugs in the browser. For example, Outlook and Outlook Express depend on, and use, Internet Explorer. Other bugs result in the Address bar of a web browser displaying the wrong address for the web page you are viewing.

Some of the bugs in web browsers are:

 

DNS Poisoning TOP

 

Normally, of course, if you enter www.cbs.com into your web browser, you expect to end up at the web site of the TV network behind 60 Minutes. With DNS poisoning however, you enter one web site address but end up instead at the web site of the bad guys.

All communication between computers on the Internet is done using a unique number assigned to every computer. The system that translates names such as cbs.com into these numbers (called IP addresses) is called DNS (Domain Name System). 

One type of DNS poisoning involves modifying a file on your computer. In the old days, the translation of names (www.cbs.com into numbers (such as 170.20.0.25) was done by a file on your computer called the hosts file. This file still exists and Windows still uses it (a mistake by Microsoft, in my opinion). Normally the file is empty, but malicious software can update it. If your hosts file was updated, there are times when you will not go to the web site you expect to. One way to fight this is to look at the hosts file every now and then. Another way is to modify the Windows registry to tell it to convert using the DNS system before trying to convert using the hosts file.

Another type of DNS poisoning involves modifying a computer used by either your Internet Service Provider (at home) or your company (at work). The computers in question are DNS Servers, machines dedicated to doing nothing but translating names (www.cbs.com) into numbers (170.20.0.25). I don't know that you can defend yourself from this as it involves no changes to your computer at all. This type of DNS poisoning can be done either by going after the DNS server software and trying exploiting a bug or with social engineering. 

Another related problem is domain stealing. Ownership of a domain is registered with a Registrar. Hundreds of companies function as Registrars for domain names on the Internet. Among them are register.com, godaddy.com and directnic.com. If a bad guy can transfer ownership of a domain from the rightful registrar to another one, then they can point the domain to any web site they please. In this case, the DNS system works as designed, the attack is to the input to the DNS system rather than the system itself. 

This is exactly what happened in January 2005 to New York City based ISP, Panix. Ownership of the panix.com domain was switched to a registrar in Australia by someone who apparently did not follow the normal rules for this sort of thing. Then the panix.com domain was pointed to a phony web site.

DNS poisoning has also been called "pharming" (as in the next generation of phishing) and domain spoofing. For more see:


 

 @defensivecomput TOP Home => Links That Lie   
 michael at michaelhorowitz.com Created: September 2004 Last Updated: December 23, 2010  
 www.michaelhorowitz.com/linksthatlie.html License Plate
Copyright 2001-2013
Copyright 2001-2013 Previous Update: March 29, 2008  
Printed at:   April 23, 2014 9:45pm   ET
Viewed 27,257 times since May 26, 2010 (19/day over 1,428.3 days)