Security of Web Addresses

[retina]

Quote:

Originally Posted by ewmayer

I happen to be quite practiced at not clicking *any* link until having first checked where it goes via the hover technique. It seems this is especially difficult on smartphones, however, since there one use the same fingertip to navigate and then press-just-a-little-harder-to-open-link - one more reason I only use 'em for offline GIMPS crunching. :)

But those remote images will tattle on you opening the message, and get you put on ever more spam lists.

And that embedded JS doing its dirty deeds in the background ... yuck.

[ewmayer]

Quote:

Originally Posted by retina

But those remote images will tattle on you opening the message, and get you put on ever more spam lists.

And that embedded JS doing its dirty deeds in the background ... yuck.

I have *image* rendering disabled by default in my mail setup, but I suppose an embedded-JS *widget* could work similarly.

Anyhoo, my e-mail provider's and own spam filters catch the vast majority of these upstream - one reaches my Inbox perhaps once per week on average. Here's the ones I've had to explicitly mark "junk" so far this year:

[kladner]

I get several a day. Lots of "Make her swoon with enhanced manliness," hair restoration, secret youth formulas, secret arthritis cures, alleged dating services with really short URLs, and so on.


I guess my online profile is as a Grade A, #1 sucker.

[retina]

Quote:

Originally Posted by retina

There are a few ways that addresses can be made to look like something else with the @ prefix. Lame example, but I hope you can see the technique:

http://legit.looking.domain.com@hackers.evil.domain.cc/virus.cgi

I can make that URL cloaking example better:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahblahFKJAIJIFJwejiEDJjkefjEJIEFjO@hackers.evil.domain.cc/virus.cgi

And when you use your mouse over trick the software chops it short "for your convenience" to show this:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahbla...

And you never see the @ in there or the real URL that is hidden behind the @

[EdH]

Quote:

Originally Posted by retina

I can make that URL cloaking example better:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahblahFKJAIJIFJwejiEDJjkefjEJIEFjO@hackers.evil.domain.cc/virus.cgi

And when you use your mouse over trick the software chops it short "for your convenience" to show this:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahbla...

And you never see the @ in there or the real URL that is hidden behind the @

If you do a copy URL/paste into a text editor, shouldn't the @ show up there?

[Dr Sardonicus]

Quote:

Originally Posted by EdH

If you do a copy URL/paste into a text editor, shouldn't the @ show up there?

It should. I did this with one of the few suspicious messages I ever downloaded, and the link was not what it said it was. I forwarded the message to the outfit being impersonated, and then trashed it.

If you can set your Email program to show you just the From: and Subject: fields before you decide what to do (skip, download, delete) you can sometimes prevent bad Emails from even reaching your machine. If the From: and Subject: say your account is suspended, I would go ahead and delete, then call or go to the account in question on line through normal channels just to check.

Some Email programs don't have a blanket setting that lets you do this, but do have a setting that gives you these options if the Email is bigger than a certain size. Make that size as small as possible (hopefully 1K), and you have a fairly effective screen.

[ewmayer]

Quote:

Originally Posted by retina

I can make that URL cloaking example better:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahblahFKJAIJIFJwejiEDJjkefjEJIEFjO@hackers.evil.domain.cc/virus.cgi

And when you use your mouse over trick the software chops it short "for your convenience" to show this:

http://legit.looking.domain.com/fluffy_bunnies.html_random_characters_blahblahbla...

And you never see the @ in there or the real URL that is hidden behind the @

Good point - but you still see *something* going on beyond what should be the terminating.html. Forgot to mention yesterday - I also use the final line of defense, if I think a link *might* be legit, I never click it directly in the e-mail but rather copy the URL into my browser's address field. But I expect a very small % of people is this cautious.

Quote:

Originally Posted by Dr Sardonicus

If you can set your Email program to show you just the From: and Subject: fields before you decide what to do (skip, download, delete) you can sometimes prevent bad Emails from even reaching your machine. If the From: and Subject: say your account is suspended, I would go ahead and delete, then call or go to the account in question on line through normal channels just to check.

Yes, can't emphasize that enough - anytime you get an "your account has been ____" e-mail, it's always preferable go directly to the account in question.

Oh, p.s. to retina's "your hovertext 'helpfully' shortens URLs like so" note above - so I just tried this with a legitimate e-mail of the kind the phishers like to mimic, this one an Order Update for my Comcast Xfinity cable service. That has a clickable link with a suspiciously long URL in it, the parsing of which however points to it as being legit - attachment below. I don't see any 'helpful' shortening of the URL in the hovertext, do you?

[xilman]

Quote:

Originally Posted by ewmayer

But I expect a very small % of people is this cautious.

You may very well expect that, but I couldn't possibly comment.

[retina]

Quote:

Originally Posted by ewmayer

Oh, p.s. to retina's "your hovertext 'helpfully' shortens URLs like so" note above - so I just tried this with a legitimate e-mail of the kind the phishers like to mimic, this one an Order Update for my Comcast Xfinity cable service. That has a clickable link with a suspiciously long URL in it, the parsing of which however points to it as being legit - attachment below. I don't see any 'helpful' shortening of the URL in the hovertext, do you?

Your email client isn't so bad in this case.

But your screenshot shows another technique. Using a legitimate address to redirect to a hacker address. The "ClickedUrl" page is just a redirect page with the target shown later. So this can be used to make the base URL a genuine legit one, and then direct to any other target.

There is also at least another way. Using the Unicode extension for URLs to get to what looks like a legit site, but is really a clone site using Cyrillic characters with similar glyphs instead. So it could be google.com but the 'e' is a Cyrillic 'e', and it is actually a different address. Maybe google registered those spoof addresses, I don't know, but many companies haven't done that.

[EdH]

My hovers are definitely cut off with my system, hence my copy/paste examination, which I didn't pay attention this time. . .

[retina]

I tried this example. Try emailing it to yourself and see what behaviour you get.

https://account_google_com%canonical...unt.google.com

It seems that / and . can't be used for the username or password fields so it needs to be a bit more creative. But I think the above could easily fool many people.

Palemoon will check the destination server to see if it will accept the authentication and I get a warning that the URL might be trying to trick me. But I only used example.com, it would be easy for someone to set up a server that accepts the auth and the browser shows no warning.

You could also combine all of the techniques mentioned above to make an URL using redirection via a legit site, with an obscuring authentication prefix, and a spoofed target domain, with a faked "from" field to make it really hard to know where it is really going. That is why the standard advice is to NEVER CLICK ON LINKS IN AN EMAIL.