Wednesday, March 23, 2005
URL spoofing - part I
So a link shows up in your email, which looks like this:
http://www.some_banks_homepage.com%01%00@fake_site.com/scammer.html
where do you think you will go if you clicked on the above link? Although, I've made it obvious in the above URL, a lot of people would still say that it would goto "www.some_banks_homepage.com". If you said "fake_site.com", congratulate yourself because you have just passed the first lesson in recognizing the target destination by looking at a URL.
Normally when phishers and scamsters send out mass emails, they would include such links in their emails. The URL's are so long that only the first few characters of the URL appear in your email client (or browser). The "fake_site.com" part of the URL is way outside the visible area of your email client or browser, making it difficult for the average Joe to figure out where he is actually going to go after clicking on the link.
When I tried the above example in the Firefox browser, it alerted me that someone might be tricking me to goto the "fake_site.com". Microsoft's IE browser gave me a invalid sytax error! and didnt open the site. So the browser's have evolved to an extent to make this kind of spoofing difficult.
For those of you who are interested in knowing why would the browser take you (if at all) to the "fake_site.com" address:
http://www.some_banks_homepage.com%01%00@fake_site.com/scammer.html
where do you think you will go if you clicked on the above link? Although, I've made it obvious in the above URL, a lot of people would still say that it would goto "www.some_banks_homepage.com". If you said "fake_site.com", congratulate yourself because you have just passed the first lesson in recognizing the target destination by looking at a URL.
Normally when phishers and scamsters send out mass emails, they would include such links in their emails. The URL's are so long that only the first few characters of the URL appear in your email client (or browser). The "fake_site.com" part of the URL is way outside the visible area of your email client or browser, making it difficult for the average Joe to figure out where he is actually going to go after clicking on the link.
When I tried the above example in the Firefox browser, it alerted me that someone might be tricking me to goto the "fake_site.com". Microsoft's IE browser gave me a invalid sytax error! and didnt open the site. So the browser's have evolved to an extent to make this kind of spoofing difficult.
For those of you who are interested in knowing why would the browser take you (if at all) to the "fake_site.com" address:
If a site uses authentication (a challenge authentication protocol - http response status code 401), then you could pass along the username and password before hand through the URL itself. Eg. http://username:password@some_site.com/. Taking advantage of this feature, the above malicious URL uses the name of the trusted site "some_banks_homepage.com" as the username in the URL.Next time, I'll discuss some other kinds of URL spoofing. Adios.
Copyright Anand Jain 2004, 2005. All rights
reserved.
Webmaster
