I have been asked recently about the dangers of clicking on unknown links in e-mails. This lead to a discussion on how hackers disguise website addresses or URLs. There are actually several tactics that spammers and hackers will use to disguise a website address. Today, I wanted to take a quick look at some of them.
Microsoft released a good article on how to recognize spoofed sites. Spammers will try to register website names that are close to the website they are trying to spoof. For example, misspelled words like Micosoft, or Mircosoft would be options for someone trying to spoof Microsoft. Another common tactic is to use the number “0” in place of the letter “O”. Or adding extra words in the website name works as well, like security-microsoft.com. Internet Explorer 8 tries to help you recognize these tactics by always highlighting the domain name in bold so you can verify the spelling.
Also, spammers will use very long names in links to disguise the actual site that they are trying to send you too. A website address (also called Fully Qualified Domain Name) can be up to 255 characters long. So when displayed in the address bar, it wraps so you cannot see the whole address. They will add some official looking directories in the name to make it look more legit. For example:
http://www.malwarebadsite.com/up_to_no_good/exploited_machines/…lots_of_random_junk…/Official/Microsoft/Security/Updates/. When displayed, you will only see the “/Official/Microsoft/Security/Updates/” part of the address.
Okay these ones you could catch if you scrutinize the address closely enough. But there are other ways to write a domain name. For example, you can use the IP address instead of the name. If you open a command prompt and type “ping google.com” you will see “pinging Google.com [220.127.116.11]”. You can take that number and place it into the Internet Explorer address bar and you will end up at Google.com. That one is well known, but how else can you write the address? Here are some other less known ways to write an internet address:
- DoubleWord (dword): Google.com in dword is 1208929383
- Hexadecimal: Google.com in Hex is 0X480ecc67 (convert the IP to hex and then add “0x” in the front so IE known that it is a Hex number.)
- Octal: Google.com in Octal is 0110.016.0314.0147 (Convert the IP address to Octal, and then add a “0” in front of each number so IE knows that it is octal.)
Go ahead, copy and paste any of the numbers above in your IE browser and you will end up at Google.com. Or you can “ping 1208929383” from a command prompt and you will get a response from 18.104.22.168. Firefox seems much better than IE at parsing these out, placing these numbers in Firefox did not seem to work, I got a DNS error or BAD ADDRESS error message. Hackers will use the numbered IP addresses instead of a domain name to further mask the malware site.
If you want to know more, an excellent article for converting IP addresses to other forms and full instructions on how to do so can be found at PCHelp.com. Two sites that are helpful in converting the IP address are IPAddressLocation and IPAddressConverter.
One last point to keep in mind. Website spoofing is not just used by vicious hackers. Sometimes your users may be using this tactic also. When you set up your firewall filter and block sites that you don’t want your users on, some routers will allow users to bypass the filter by using the spoofing tactics listed above. So if you want to keep people off youtube.com, you may need to also block the actual IP address and possibly the other variants listed above as well. I have seen SOHO setups where specific sites were blocked by name, allowing no access to the domain name, but you could still get to them by putting in the IP address.