The most successful attacks against an organization are successful because they target the users. Usually, this involves a user clicking on a link that sends the user’s browser to a malicious webpage that looks like a site that they are familiar with visiting. Without looking at the URL, the user can be easily coerced into believing the website in front of them is legitimate. Now, with security tools such as the Social Engineer Toolkit (SET), attackers and security professionals have the ability to take an existing web page and make a clone of it in a matter of seconds. The only difference between the two is the source, which makes it all the more important to be educated on how URLs are structured.

This may be old news to some, but until these attacks become far less successful, it is important to educate our users, family, and friends on how to better protect themselves online. Even users who are aware of phishing attacks can still fall victim to the attacker techniques discussed below. For the purpose of this article, “mydomain”, “myhost”, “mybank”, and “myresource” are used only as examples and are not representative of actual systems.

Example URL = http://www.securestate.com/default.aspx

  • Protocol = http
  • Host = www
  • Domain = securestate
  • Top-Level Domain (TLD) = com
  • Resource = default.aspx

While it is important to be able to identify the different parts of a full URL, this document will be focused around hosts, domains, and top-level domains. Note that there may be many subsequent hosts (myhost.myhost.mydomain.com) or none at all in the use of a URL. Each combination of host(s), domain, and top-level domain represents a unique system that the following resource will be requested from.

In the example URL illustrated, the most important pieces are the domain name and the top-level domain, appearing right before the “/”. The reason this is so important is because this is where almost all of your trust lies when visiting a website. When a domain is registered, the owner must provide contact information and pay a fee to the registrar, who then registers the domain name with the Internet Corporation for Assigned Names and Numbers (ICANN) to maintain ownership of the domain name. Additionally, top-level domains are regulated by the Internet Assigned Numbers Authority (IANA), and cannot be registered.  Therefore, the owner of securestate.mydomain.com, host.securestate.com, and host.securestate.net can be registered by three different people because they have different domain names and top-level domain combinations.  This is a great example of how attackers are taking advantage of users. By registering a domain name with a different top-level domain, or by adding a host name to mimic the domain name of another site, they can trick users into placing their trust into their phishing site. Figure 1 illustrates the structure of domain names and how they are essentially read backwards.

 

The following URLs are ALL examples of web sites that would be owned by “mydomain.com”, but have additional hosts as an attempt to gain the users trust.

  • http://www.securestate.mydomain.com/login.html
  • http://www.securestate.com.mydomin.com/login.html
  • http://www.mybank.mydomain.com/login.html
  • http://www.mydomain.com/mybank/login.html

The last example demonstrates another way that attackers are exploiting users’ ignorance to gain access to sensitive information. By placing keywords in the path of the resource, users who are looking only for their company’s name, the name of their bank, or their favorite social networking site within the URL can be tricked into visiting the site.

 

Helpful Steps When Presented with a Link:

1. Identify the domain name and top-level domain combination.

2. If the domain and top-level domain combination are not familiar, use one of the following online resources listed to see who the domain is registered to.

  • http://www.whois.net/
  • https://www.arin.net/
  • http://www.domaintools.com/

3. If the individual or organization is registered to someone other than what was expected, do not click the link. Instead, contact the sender using an alternative method. For example, if the link was sent via email, contact the sender over the phone, instant messenger, or in person to validate the authenticity of the link.

 

Comments are closed.