Phishing is a deceptive tactic used in emails, on bogus web sites, and other communication media that convince people to click on a link that typically brings the user to an impostor web site. These cyber attacks are generally attempting to accomplish one or both of the following:
- Surreptitiously obtain personal account information
- Plant virus and/or worm programs on the machine
Phishing is considered to be a “social engineering” cyber attack because it relies on tricking or deceiving humans into doing something they don’t realize they’re doing (see “The Hacker as a Magician“). This is contrasted by exploits, which rely on shortcomings or defects in computer firmware or software to accomplish their nefarious objectives.
There are two common link manipulation tactics used that are easily recognized if you know what to look for…
Tactic #1: WYSINWYG
“WYSIWYG” is an acronym for What You See Is What You Get and is commonly used to describe software programs that provide an intuitive, graphical user interface that provides an accurate visual representation of the final rendering of some sort of content. In this case, I’m coining a new acronym; What You See Is Not What You Get. This is because the first common misdirection tactic used in Phishing is to display a legitimate URL (uniform resource locator) address that, in fact, points to a completely different address.
In order to understand how this works, here is a very quick and dirty introduction to how links are built in HTML. You’ll notice that there are various links scattered throughout this article that are plain English words that can be clicked. As an example, the code for creating “Click here to visit my blog” looks something like this:
Click <a href=”http://domesticatingit.com”> here</a> to visit my blog.
When your browser sees this code, it composes a link to the address pointed to in the “href” attribute (in this case, “http://domesticatingit.com”) but only shows you the word “here”. Phishing attacks frequently rely on displaying a link that appears to be a legitimate address but isn’t. Consider the following screen shot:
This is an example from Microsoft’s web site of a common technique that Phishing attacks use to obtain online banking credentials. The text displayed in the email (#1) displays the legitimate URL for this fictitious bank’s login page. However, hovering over the link in Microsoft Outlook reveals that the actual address (#2) is a completely different address. There are three observations to make in this example:
- The displayed address and the actual address are different. This is a huge red flag and should make you extremely suspicious.
- The displayed address is secure (i.e. “https”) URL, and the actual is not. Again, this is a red flag.
- The actual address is an IP address instead of a domain name. While there are occasionally legitimate reasons for doing this, it is another red flag that makes the link questionable.
In most software programs, hovering over a link will display the actual address either in a status bar or as balloon text below the link. Here’s an example from my Gmail account (using Firefox 3) that illustrates how to see where the link in an email is going to take you. The cursor is hovering over the “Review Legal Agreements” text and the status bar in the lower left hand corner displays the “href” attribute of the link.
If for some reason hovering over the link does not reveal the destination address, you can usually right-click on the link and select “Copy Link Address” and then paste into Notepad in order to check it.
Bottom Line: Look before you leap.
Tactic #2: Sneaky URLs
Another tactic employed in Phishing attacks is to use URLs that, at first glance, appear to be legitimate because they include the real web site’s name somewhere in the URL. A recent Phishing exploit pointed toward Twitter users employed this approach to steal logins by using “twitter.access-logins.com” for the domain. Many people are fooled into believing this is legitimate simply because the word “twitter” appears in the address. It is further legitimized by rendering a near-perfect forgery of the real web site:
The reality, however, is that entering your login credentials on this site causes them to be logged to a hacker’s database that then uses the compromised accounts to send direct messages to other Twitter users.
This deception works because the address used directs a browser to the “twitter” subdomain of the “access-logins” web site. Without diving into a full-blown tutorial on how host names are constructed, suffice to say that you need to read host addresses from right to left in order to understand how they are qualified. The right-most portion of the address is “com”. The next portion of the address, “access-logins” is the actual domain name. The WHOIS registrant for this domain turns out to be:
Registrant: Organization : zhang xiaohu Name : zhang xiaohu Address : changningzhonghuainanlu192hao City : changning Province/State : Hunan Country : CN Postal Code : 421500
Bottom Line: Parse that address – make sure the two right-most components are correct (e.g. “twitter.com”).
Feel free to add your hints and suggestions in the comments below. Also, forward this article to anyone you know who might be vulnerable to these tactics. You can find more advice on avoiding Phishing scams on Fraud.org.