Home Back Forward Print Close  
URL Obfuscation

 

Using URL obfuscation techniques, criminal hackers redirect Internet traffic from one Web site to a different, identical-looking site in order to trick you into entering your user name and password into the database on their fake site.   The secret for many phishing attacks is to get you to follow a hyperlink (URL) to the attacker's server, without realizing that you have been duped.

The most common methods of URL obfuscation include:

Pharming
Web Browser Proxy Configuration
Bad domain names
Friendly login URL's
Third-party shortened URL's
Host name obfuscation
URL obfuscation

Pharming is the common term for when criminal hackers redirect Internet traffic from one Web site to a different, identical-looking site in order to trick you into entering your user name and password into the database on their fake site. Banking or similar financial sites are often the target of these attacks, in which criminals try to acquire your personal information in order to access your bank account, steal your identity, or commit other kinds of fraud in your name.

 

Browser Proxy Configuration
By overriding the customers web-browser setup and setting proxy configuration options, an attacker can force all web traffic through to their nominated proxy server. This method is not transparent to the customer, and the customer may easily review their web browser settings to identify an offending proxy server.

 

Bad Domain Names
One of the most trivial obfuscation methods is through the purposeful registration and use of bad domain names. Consider the financial institute MyBank with the registered domain mybank.com and the associated customer transactional site http://privatebanking.mybank.com. The Phisher could set up a server using any of the following names to help obfuscate the real destination host:

http://privatebanking.mybank.com.ch
http://mybank.privatebanking.com
http://privatebanking.mybonk.com or even http://privatebanking.myb-k.com
http://privatebanking.mybank.hackproof.com

It is important to note that as domain registration organizations move to internationalize their services, it is possible to register domain names in other languages and their specific character sets. For example, the Cyrillic "o" looks identical to the standard ASCII "o" but can be used for different domain registration purposes - as pointed out by a company who registered microsoft.com in Russia a few years ago. Finally, it is worth noting that even the standard ASCII character set allows for ambiguities such as upper-case "i" and lower-case "L".

Friendly Login URL's
Many common web browser implementations allow for complex URL's that can include authentication information such as a login name and password. In general the format is URI://username:password@hostname/path.

 

Phishers may substitute the username and password fields for details associated with the target organization. For example the following URL sets the username = mybank.com, password = ebanking and the destination hostname is evilsite.com. http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm

 

This friendly login URL can successfully trick many customers into thinking that they are actually visiting the legitimate MyBank page. Because of its success, many current browser versions have dropped support for this URL encoding method.

Third-party Shortened URL?s
Due to the length and complexity of many web-based application URLs - combined with the way URL's may be represented and displayed within various email systems (e.g. extra spaces and line feeds into the URL) - third-party organizations have sprung up offering free services designed to provide shorter URL's.

 

Through a combination of social engineering and deliberately broken longs or incorrect URL's, Phishers may use these free services to obfuscate the true destination. Common free services include http://smallurl.com and http://tinyurl.com.

 

Host Name Obfuscation
Most Internet users are familiar with navigating to sites and services using a fully qualified domain name, such as www.evilsite.com. For a web browser to communicate over the Internet, this address must to be resolved to an IP address, such as 209.134.161.35 for www.evilsite.com. This resolution of IP address to host name is achieved through domain name servers. A Phisher may wish to use the IP address as part of a URL to obfuscate the host and possibly bypass content filtering systems, or hide the destination from the end user.

For example the following URL:
http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm
could be obfuscated such as:
http://mybank.com:ebanking@210.134.161.35/login.htm