Pratum Blog

Cyber criminal with email phishing campaign

Phishing has been around a long time, and the most recent index numbers show attackers are using it enthusiastically.

Infoblox DNS Threat Index, Q2 Quarterly Report 2015

Network end users, as front-line defenders, are a critical component of an organization's information security program. Over the past few years, awareness and training topics for network end users have included phishing due to both its rampant nature and the increasingly sophisticated methods phishers use to lure victims. When our consultants evaluate risk within an organization and discuss with them their phishing awareness and training efforts, we may see guidance such as “do not click on suspicious links” and “hover the mouse pointer over links in an email to check whether it is legitimate.” However, how does one evaluate whether a link and the associated Uniform Resource Locator (URL) leads to a legitimate site or not?

To evaluate links and URLs, a person should understand generic Top-Level Domains (gTLDs), country code TLDs (ccTLDs), and other types of Internet domains. To that end, this article provides some high-level information about reading and interpreting links/URLs.

A Short History of Generic Top-Level Domains

We are all used to seeing gTLDs. Almost daily, we use gTLDs, including those most familiar to us, such as .com, .gov, and .edu. They are a key part of the structure of the Internet. They are also well understood by phishers, who manipulate URLs for fraudulent use. To best assess links within emails, as well as URLs within browsers, it’s good to know how the various domains have evolved and how they work.

In 1984, Request for Comments (RFC) 920 was used to define the original “general purpose domains” - .com, .gov, .mil, .edu, and .org. Another domain, .net, was added in early 1985 and is also considered one of the “original” domains. In 1988, .int (international) was added to meet the North Atlantic Treaty Organization’s request for a domain. Over the years, other domains were added, such as .biz and .info (2001). By early 2011, 22 gTLDs had been established. In June 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) voted to remove many of the restrictions on gTLD applications and implementation, effectively opening the door for almost any gTLD to be used. Under the new rules, as of May 2015, over 600 gTLDs, including new gTLDs such as .auto, .computer, .network, .social, .pizza, .organic, had been registered and cleared for use on the Internet. According to some security experts, this evolution in gTLDs is considered a gift to phishers because it will allow them to form a multitude of new phishing websites. For a full listing of the expanded gTLDs, see the Internet Assigned Numbers Authority (IANA) Root Zone Database (https://www.iana.org/domains/root/db).

Country Code TLDs

Country code TLDs are also part of many URLs, and, therefore, one can expect to see them in links on occasion. Countries have ccTLDs to help distinguish what country a site is registered in or originates from. For example, the ccTLD for the United States, .us, is often used by state and local governments. Other ccTLD examples are Australia, .au; Japan, .jp; and United Kingdom, .uk. When reading a link or URL, realize that the location of the ccTLD within the URL could shift (at the end of a URL, such as http://www.gov.uk, or earlier in a URL, such as https ://uk.news.yahoo.com).

Did You Know?

Fifty-four countries have chosen to allow their ccTLDs to be used for commercial purposes. For example, .co, the ccTLD for Colombia, can be used in place of .com. It’s very popular, due to the burgeoning .com domain, and allows businesses to have alternative ways to form website names.

Have you seen the URL http://o.co? That’s Overstock.com providing an alternate way for you to get to the company through your browser.

You may have seen youtu.be. That’s a legitimate URL, registered by Google using Belgium’s ccTLD, .be.

Much of the entertainment industry uses Tavalu’s ccTLD, .TV. It’s a great way for the island nation to make money.

When trying to determine whether a site is legitimate, realize that many ccTLDs are also used for commercial purposes. What looks like a suspicious site could be, in fact, legitimate. However, ccTLDs can also be used to form names for phishing sites, so when in doubt, don’t click!

How Links/URLs are Formed

So what’s the key to reading URLs in links? The basic answer is that, within a link, the important stuff lies between the double forward-slash “//” and the first single slash, primarily in the highlighted area shown below. To interpret the URL, go to the first single forward slash, and then back up from there. After the first forward slash, things such as directories, subdirectories, filenames, and file types are listed.

The structure of a link/URL

Note: The framework above is the basic URL breakdown. In place of http:// or https://, you may see ftp://, gopher://, or news://. These are different types of transfer protocols. In addition, though www is in many URLs, it is not a required component. You may see additional fields prior to the gTLD and secondary domain/server name. After the first forward slash, you may see fields indicating dates, or other information used to identify a resource.

Example Links/URLs

Now that we’re armed with some background information, let’s look at some examples.

  1. We’re fairly used to seeing and using commercial sites, such as: http://www.amazon.com

    This is a well-known site, and the URL doesn’t include any suspicious modifications.
    Assessment: LEGIT!

  2. URLs can be formed in almost any fashion. This makes it easy for site owners to build unique site names. It also makes it easy for phishers to do the same, meaning they can build site names that closely approximate legitimate site names. For example, look what a simple period can do to a site name: http://www.ama.zon.com/gp/cart/view.html/ref=nav_cart

    If a person were to click on the link above, instead of going to amazon.com, the person would be directed to the site zon.com, which could be a site registered by phishers.
    Assessment: SUSPECT!

  3. How about this link? http://This email address is being protected from spambots. You need JavaScript enabled to view it./catalog

    In this case, a person would be directed to IP address 66.161.153.155, not amazon.com. If you see a link/URL with an “@” sign, be particularly careful. Phishers routinely use this URL-manipulation tactic.
    Assessment: SUSPECT!

  4. What if you see this URL in a link? http://209.131.36.158/amazon.com/index.jsp

    This URL is somewhat similar in function to the URL in #3 above. A person would be directed to the IP address, not amazon.com, which is listed after the first single forward slash.
    Assessment: SUSPECT!

  5. What if you see a URL similar to the one below, or, as you watch a webpage load, you see something similar to this in the URL bar? http://www.google.com/url?q=http://www.badsite.com

    This example shows a URL that would refer a person from one site (in this case, google.com) to another site, badsite.com (note the “=http://” nomenclature which allows this). Referrals are not in themselves bad, but a referral could lead to a phishing site. In this case, badsite.com doesn’t look to be legitimate.
    Assessment: SUSPECT!

  6. Did You Know?

    You visit a web site and see “www1” or “www2” (or other number) in the URL. What does this mean? Some web sites may be very popular and, therefore, have multiple servers working in a load-balancing configuration to serve content when requested. Some companies choose to number their servers. So, if you see a www1 or www2 (or other www#), you’re just seeing which server # among multiple servers is providing the content. With regards to phishing, seeing a www1, www2, etc., is not in itself an indicator of a phishing site.

    To help users quickly determine the top-level and secondary domains within a URL, some companies and organizations have started to use “domain highlighting.” When a user visits a site, part of the URL will dim after a few seconds, leaving the top-level and secondary domains dark. For example:

    PayPal domain

    It’s always good to look for signs of a legitimate, secure site: closed padlock, https://, and company name highlighted in green within the URL (such as in the PayPal example above). If a site’s certificate is expired or otherwise invalid, some browsers, such as Internet Explorer and Firefox, or security services, will warn users. A person might wonder if it is safe to proceed through the warning. In this case, use other available indicators (review the URL again) to help determine whether the site is legitimate. If in doubt, do not proceed.

    Conclusion

    Phishing continues to be a global problem, exacerbated by users who are not aware of phishing tactics, increasingly sophisticated phishing methods, and now, an increasing set of generic Top-Level Domains. Though links in emails are not the only method phishers use, it is very common. To reduce the risks posed by phishing, it is necessary to know how to interpret links and the associated URLs.

    If you are interested in learning more about social engineering, awareness and training, and risk assessment services, please contact us today.


Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.