Uniform Resource Locator – Part Deux

Now that we know the basic format in which all Uniform Resource Locators (URL) utilize, let’s now look into ways in which you can be fooled into going somewhere that you never intended. If you did not read Part 1, you can check it out HERE. Crooks use techniques, such as URL Spoofing, MitM (Man in the Middle) Attacks, and Browser Hijacking in order to steal your valuable personal information. The URL can, in most instances, let you know exactly where you are going when you do a search, however it is not always as intuitive as you would think. Criminals are very good at tricking you into entering sites that you never intended.

We all now know, from my last post, the basic format for URL’s.

http://www.domain.com/folder/sub-folder/page_name/

Before we get started, I would like to take the opportunity to state that the e-commerce sites used in the following examples are not being attacked in the portrayed manner. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

Here is why this information is important. Crooks will attempt to trick you into clicking on a malicious site deceiving you by manipulating the URL. In this example, I am going to use Amazon.com, but they are only being used to prove a point, this is not an actual event. Let’s say you do a search for Amazon.com. Well the true URL for their home page is http://www.amazon.com.  The search result you return is for Amazon, and may even have the Amazon logo next to it. But, by looking at the URL, you notice that it is actually taking you to” http://www.amazon.badguy.com/GetVirusHere/”.  As you now know, even though it says Amazon in the URL, you are not going to Amazon.com, but are actually going to the domain “badguy.com”. Amazon is a high profile search term and is easy to identify, as it is always the top return in a search query, however when you do a search in which the results may not be as intuitive, it is important to look at the URL to ensure you are going where you want. Other tricks that may be used:

“http://www.badguy.com/amazon.com/”……In this case, even though the last .com is from Amazon, it is after the first slash (/), which tells you that it is a folder on the badguy.com domain. (Remember the file cabinet.)

“http://www.badguy.amzon.com/getvirushere/”….Simple spelling errors are ways that the bad guys will attempt to lure you to malicious sites.

OK, these are the easier to recognize tricks that hackers will use to fool you. The next trick uses a more sophisticated method of luring you. Let’s say that you receive an email stating that you have a gift certificate for Amazon.com. Naturally, it looks official so you click on it, and within the very official looking Amazon email, you see a link that looks like this: “http://www.amazon.com/GetGiftCertificateHere/“. Well this looks good right? Yeah, you are right, it does look legitimate, however click on the link and see what happens (don’t worry, nothing bad will occur),  Just because the text in a link looks correct, it does not mean that the link is taking you where you think. You may be asking, so how can I be sure? The easiest method of making sure you are going to where you want is to hover over the link (do not click it), and right click the link and select properties. Your browser will then show you where that link is pointing.

So the browser will tell you that you are not going to “http://www.amazon.com/GetGiftCertificatHere/” but are actually going to another The Edible Earth page. Crooks will obviously not be so kind and will take you to malicious sites.

Now let’s say that you arrive at a web site and everything looks OK, including the URL, but something just does not look right. The way to be sure that you are actually where you think you are is to run a little JavaScript. By copying and pasting the script into the URL bar of the site that you are on and clicking Enter, a description of the site’s actual URL and Address URL will be displayed. If this shows that the .coms do not match you may have been spoofed and may be at a malicious site.

Copy and paste the following JavaScript in the URL bar (NOTE – When you copy and paste this, clear the URL information that is already there. This script should be the only thing in the URL bar):

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" +
location.hostname + "/" + "\nThe address URL is:\t\t" + location.href +
 "\n" + "\nIf the server names do not match, this may be a spoof.");

These types of spoofs are common on nefarious websites, so make sure that you are aware of where you are going before clicking on links.

However, crooks are getting more and more clever with their tricks, and even though, the aforementioned tactics can be effective, there are some types of tricks that are even more difficult to detect. The first is browser hijacking in which you are directed to a fake website after clicking on, what appears, to be good link. These fake sites are very well built, and will look very much like a legitimate site. Let’s say you click on a link that you think will take you to Amazon.com, however you wind up at a site that looks exactly like Amazon.com, but is not. From here, the cyber criminals will attempt to get your personal information. Simply by glancing up at the URL will tell you that you are not at the correct site. The criminals are relying on, the fact, that hopefully because the site looks so genuine that you will not even question what the URL says. Always, check the URL. Again, by running that little JavaScript will tell you exactly where you are.

These hijackings may even take you to a site, that may, look nothing like Amazon.com, but will contain malware or links to malware. Should you ever think that you are going to a particular site, and wind up somewhere unexpected, do not click on anything on that site, no matter how appealing it may seem. Chances are you are going to wind up with a virus, worm, trojan horse, or spyware.

Even more dangerous are what are known as Man in the Middle (MitM) attacks. These are hacks in which the criminal will get in between your transmission and the expected website, kind of like an intercepted pass in football, and steal your personal information. This was a very simple thing for an experienced hacker to do, however e-commerce sites have become more aware of this type of attack, and have made changes to their site so as to make MitM attacks more difficult. One way that this could be accomplished is by going to a page that is asking for your personal information that is not protected by an SSL/TLS (Secure Socket Layer/Transport Layer Security) connection. Any connection that is protected be SSL/TLS is encrypted so that all that a MitM will see is gobble-d-gook. All websites that are encrypted by SSL/TLS will always begin with “https://” instead of just “http://”. The way that a MitM Attack could occur is for you to go to an e-commerce site. You would then add items in which you want to purchase. You are looking at the page with the item(s) that you are intending to buy. This page has a button that says “Purchase Now”, however this page is not protected with SSL/TLS (starts with https://). Before we go any further, I will give you the nickel explanation of how these sites expect to receive packets over the internet.

When packets of information are sent over the internet, that contain personal identifying information, most sites like Amazon.com, Paypal.com, etc. expect them to arrive at their server sent over an encrypted transmission. If they are received un-encrypted, these packets will be dropped by the site, which is a good policy as it protects you. When encrypted purchase information is received, confirmation information is then sent back to you, also through an encrypted transmission.

OK, now let’s return to that page in which you are going to purchase your items. The page was designed to be un-encrypted (http:// only), however once you enter your credit card information, and push the ‘Purchase Now’ button, the information will then be sent over SSL/TLS. What happens is that the criminals hack the site, and overlay the ‘Purchase Now’ button with an address that goes to their malicious site, over a non-encrypted transmission, where they now have all of your personal information. Now remember, the e-commerce site will not receive any information that is not encrypted, so the hacker will then cover their tracks and pass the information on to the e-commerce site over an SSL/TLS connection so that the e-commerce site receives the packets of data exactly the way that they are expecting it. Likewise, you will receive your purchase confirmation just as you expected, thus will never know that your data was intercepted. Most e-commerce sites have fixed this flaw as anytime that you enter your personal information, it will be entered on a page that is over an SSL/TLS connection as well as sent over one. This way no hacker can manipulate a page in which any personal information is entered as the page is encrypted. This is only one way that a MitM attack can occur. Most of the time you will never even know that it has occurred.

I would like to take the opportunity to thank all of the e-commerce sites used in the examples above. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

In order to safely use e-commerce and browse the web, it is essential to understand the concept behind a URL, their structure, and how they work. When browsing the web, make sure that you pay special attention to the URL address that you are actually going to so as not to get spoofed and potentially endanger your personal information.

And as always, make sure that you keep your Operating System, anti-virus, browser, and anti-spyware software updated. Never click on solicited links in an email and always use common sense. If a deal seems to be too good to be true, it probably is.

Let me know if you have experienced these types of attacks……

Leave a Comment!!!!