Phishing alert: how hackers make malicious URLs look trustworthy

By: Jessica Foreman

Date: 9 May 2019

A manager trains a new staff member on cybersecurity and how to recognise online threats such as phishingPretty much everyone uses the internet, and we all feel pretty confident that we know what we're doing on there. Yes, there are threats, but they happen to other people, right?

This is especially true at work, where employers have all of those nifty cybersecurity defences on the company network. There are firewalls (preferably a WAF since you need your web apps to work securely), email filters, antivirus, and more, giving the feeling that everything is pretty much covered.

But everything isn't. One of the most common threats that employees see during cybersecurity awareness training is phishing. You're told not to click on suspicious links - but what makes a link actually “suspicious”? We all know not to click on anything from baddomain.com, but what other URL-related threats are out there?

The structure of URLs

Before talking about the ways that URLs that can be abused, it's useful to know how they actually work. You probably know how the first part of the URL works. You see something like www.google.com, and know that clicking on the link will take you to somewhere on a webserver controlled by Google.

Beyond the first part of the URL, there may be one or more words separated by forward slashes. This tells the webserver which particular webpage on the server it should provide to you. This section of the URL looks a lot like what you'll see in the file explorer on your computer. That's for a good reason: it represents the file system on the webserver.

The rest of the URL you probably ignore. It can be composed of settings (like “id=johnsmith”) or a mess of random characters. This section is designed to provide configuration information to the webserver; however, it can also be used for evil.

Nothing to see here

Phishers make their living by tricking people into clicking on links in emails. If they succeed, we type in confidential information (like a username and password) into a phishing site, or install malware on our machine.

We know what they're up to and try to catch them at it, but, as professionals, they've come up with a few tricks to make a malicious URL look perfectly normal.

Bury it deep

One way that hackers make you trust their links is by placing them on trusted websites. This gets into the second part of the URL: the part that defines where the particular webpage is located on the webserver.

Many large organisational websites are ridiculously complicated. Every page on the site needs to be on the server somewhere, and the sheer number makes it unlikely that the website administrator actually knows everything that should and shouldn't be there.

Phishers take advantage of this by compromising trusted webservers, and then hiding phishing pages somewhere deep inside them. This gives the phisher the benefit of apparent legitimacy (since everyone will see the trusted site at the beginning of the URL), while having a low chance of accidental discovery.

In 2017, it was discovered that a website at Stanford University was the victim of such an attack. Phishers took advantage of the trusted Stanford domain to make phishing sites, spambots, and other hacking tools look more legitimate to end-users and increase their probability of a successful attack.

Escape! Escape!

Another way that hackers can hide their malicious websites is by taking advantage of escape or URL encoding. Escape encoding is designed to allow website designers to use characters in their URLs that are reserved for the URL. For example, you can't use a '?' in a website name since it's also part of the URL standard, but it's perfectly fine to use %3F (which resolves to the same thing).

Escape encoding is useful to attackers since it hides details of URLs. Looking at the URL "https://www.google.com%2E%62%61%64%2E%63%6F%6D", you'd probably think that clicking it will take you to a Google-owned website.

In fact, you'll end up on "https://www.google.com.baddomain.com", which is owned by baddomain.com. Admittedly, when you reach the site, it'll show the full URL - but will you really check?

Turn left here

URL redirection is another way that hackers can abuse legitimate features of the internet to make you end up somewhere that you didn't intend. A URL that looks like "https://www.google.com?redirect=www.baddomain.com" has a trustworthy domain at the front, so it looks okay at a casual glance. However, this URL will actually end up taking you to baddomain.com.

You may think that this looks pretty obvious, and indeed it does… on a big enough screen. But what if you're on a smartphone where all you can see is the first part? It might be enough to trick you.

This tactic can also be combined with escape encoding to increase its probability of success. By encoding the "?redirect=www.baddomain.com" part of the URL, a phisher can increase the probability that you'll click and not double-check the URL once you get there.

Close enough

A final and common way that phishers weaponize URLs is by using typosquatting. Typosquatting is the deliberate use of URLs that look like legitimate ones in order to catch someone who's mistyped a url, or increase the probability that someone not paying attention will click on a link.

A common typosquatting technique is to drop a letter (eg 'gogle' instead of 'google'), or use letter strings that look similar to one another (for example, 'rn' instead of 'm').

For the more sophisticated phisher, the use of multiple alphabets is an option. Latin and Cyrillic are two completely different alphabets with many similar-looking letters, and both are usable in emails, websites, and URLs. Can you really say that you'd notice the subtle difference between a URL using the Latin 'a', and one using the Cyrillic one?

Paying attention to URLs

The internet is a dangerous place, and URLs can easily be abused by attackers as part of a phishing attack. Buried directories, escape encoding, redirection and typosquatting are all means that phishers will use to catch you. Always double-check URLs once you reach a site in case of redirection or escape encoding attacks.

Better yet, never click on URLs in emails. Instead, go direct to the site that they're offering to send you to, and then click through menus to reach your destination. It may take more time and effort - but it's worth it to not get phished.

Copyright 2019. Article was made possible by site supporter Jessica Foreman

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.