Malware and other forms of attacks are delivered in a number of ways, however the most common is via email, web, sms or social media. Knowing how to spot, decode and obtain the real link is key to knowing if it’s legitimate or not.
Take for example this url:
It’s paypal.com right?
No, let’s try and understand URL structures for a minute.
https:// is the protocol. It indicates which protocol the browser must use. Usually it is the HTTP protocol or its secured version, HTTPS. Browsers also know how to handle other protocols such as mailto:// (to open a mail client), ssh:// (connect to another server) or ftp:// to handle file transfer. These can actually be used to launch actions on your computer and not the internet.
check-account.io is the domain name. It indicates which server is being requested, this is the most important part to figure out. If you want to visit paypal.com, paypal.com should always be in this position. There are no exceptions.
account.paypal.com is actually what we call a sub-domain, or in this case 3 of them. Here is where the problems can occur. For example, if you register to a site that gives users a sub-domain user space, then they can use that to launch attacks and convince the user it came from the company. Let’s assume for a second Facebook does, then an attacker registers their ‘update’ page with malware and get this link…
update.facebook.com
Looks safe right? This is how the web is supposed to work, the problem here is it abuses your trust of association. You would never click on pwn-me.hacker-clan.ru. This can also be done on an attacker controlled domain, they will often buy one that is pretty standard and won’t raise any red flags, like secure-update.com.
:8989 is the port. It indicates the technical “gate” used to access the resources on the web server. This is normally not even present if using a standard protocol like http:// (:80) or https:// (:443)
/secure/check.php is the path to the resource on the Web server. This could be a script, a download page, a page to exploit your browser, literally anything an attacker wants. Often no user interaction is required.
?customer=12399873&action=pwn are extra parameters provided to the server. Those parameters are a list of key/value pairs separated with the & symbol. The Web server can use those parameters to do extra stuff before returning the resource. An attacker might use these to track you, download os specific malware or not do anything if you’re flagged as law enforcement.
#MyAccount is an anchor to another part of the resource itself. An anchor represents a sort of “bookmark” inside the resource, giving the browser the directions to show the content located at that “bookmarked” spot.
So, now you’re a URL structure expert, you may be asking, but what if they shorten it?
Use a service like this to unpack and view the complete url…
But remember, an attacker may control the domain (check-account.io) and be able to forward your requests to another server. For example, they can send every request from my-secure-domain.com to pwned.ru. The best defence here is to simply never go on unfamiliar domain unless you have a good reason, funny cat videos is not one.
Finally, you can ‘fake’ URLs to some degree by using HTML, this is a standard HTML link tag…
<a href=”http://attacker.com">https://facebook.com</a>
A user will see https://facebook.com but when clicked, will go to http://attacker.com since that is actually the link specified in the html by the href=”” paramter.
It’s worth noting that most browsers and email clients actually display the real url in the lower left or right corners of the app if you hover your mouse over the link, so you can actually see where it goes and not the masked address.
If you’re still in doubt, use a service like this to see where it goes (remember copy the link, don’t ever click it to copy)
or use the URL tab on virus total to see if it’s a known malicious URL
https://www.virustotal.com/#/home/url
If after this you’re still not sure, don’t click it. Most phishing attacks will convey a sense of urgency to influence you “Bill needs this now” or “your invoice is overdue, you will be charged £2000”, if this is the case and you think it’s someone you know, work with or shop with, simply call them and clarify they sent it.
One last thing to be aware of is capital letters, take for example linkedin.com, an attacker could buy iinkedin.com and the result would look quite convincing, Iinkedin.com. Best thing to do in this case is look at your address bar or the url on one of the above URL checking services, they will all revert the capital letters back to lowercase so it will be easy to spot.
