Spoofing a Website Address: How to Obscure a URL

I have been asked recently about the dangers of clicking on unknown links in e-mails. This lead to a discussion on how hackers disguise website addresses or URLs. There are actually several tactics that spammers and hackers will use to disguise a website address. Today, I wanted to take a quick look at some of them.

Microsoft released a good article on how to recognize spoofed sites. Spammers will try to register website names that are close to the website they are trying to spoof. For example, misspelled words like Micosoft, or Mircosoft would be options for someone trying to spoof Microsoft. Another common tactic is to use the number “0” in place of the letter “O”. Or adding extra words in the website name works as well, like security-microsoft.com. Internet Explorer 8 tries to help you recognize these tactics by always highlighting the domain name in bold so you can verify the spelling.

Also, spammers will use very long names in links to disguise the actual site that they are trying to send you too. A website address (also called Fully Qualified Domain Name) can be up to 255 characters long. So when displayed in the address bar, it wraps so you cannot see the whole address. They will add some official looking directories in the name to make it look more legit. For example:

http://www.malwarebadsite.com/up_to_no_good/exploited_machines/…lots_of_random_junk…/Official/Microsoft/Security/Updates/. When displayed, you will only see the “/Official/Microsoft/Security/Updates/” part of the address.

Okay these ones you could catch if you scrutinize the address closely enough. But there are other ways to write a domain name. For example, you can use the IP address instead of the name. If you open a command prompt and type “ping google.com” you will see “pinging Google.com [72.14.204.103]”. You can take that number and place it into the Internet Explorer address bar and you will end up at Google.com. That one is well known, but how else can you write the address? Here are some other less known ways to write an internet address:

  1. DoubleWord (dword): Google.com in dword is 1208929383
  2. Hexadecimal: Google.com in Hex is 0X480ecc67 (convert the IP to hex and then add “0x” in the front so IE known that it is a Hex number.)
  3. Octal: Google.com in Octal is 0110.016.0314.0147 (Convert the IP address to Octal, and then add a “0” in front of each number so IE knows that it is octal.)

Go ahead, copy and paste any of the numbers above in your IE browser and you will end up at Google.com. Or you can “ping 1208929383” from a command prompt and you will get a response from 72.14.204.103. Firefox seems much better than IE at parsing these out, placing these numbers in Firefox did not seem to work, I got a DNS error or BAD ADDRESS error message. Hackers will use the numbered IP addresses instead of a domain name to further mask the malware site.

If you want to know more, an excellent article for converting IP addresses to other forms and full instructions on how to do so can be found at PCHelp.com. Two sites that are helpful in converting the IP address are IPAddressLocation and IPAddressConverter.

One last point to keep in mind. Website spoofing is not just used by vicious hackers. Sometimes your users may be using this tactic also. When you set up your firewall filter and block sites that you don’t want your users on, some routers will allow users to bypass the filter by using the spoofing tactics listed above. So if you want to keep people off youtube.com, you may need to also block the actual IP address and possibly the other variants listed above as well. I have seen SOHO setups where specific sites were blocked by name, allowing no access to the domain name, but you could still get to them by putting in the IP address.

Advertisements

Cyber Security Seminar: Sharing and Layering in Cyber Investigations

Federal Computer Week is hosting the security seminar (from Website):

Sharing and Layering in Cyber Investigations: Stop Cyber Threats from Becoming Reality through Unified Analysis Policies and Practices

Attacks on information infrastructure pose the most serious economic and national security threat of the 21st century. Gone are the days of individual hackers as the primary threat to cyber security; today’s cyber warriors are members of organized crime rings and hostile nation states, and their targets are government and financial networks; communications, utilities and critical infrastructure control, and sensitive defense and military information. The need to improve cyber investigative information sharing from both a technology and policy perspective, put an end to data siloing, and improve public-private partnerships is crucial to prevent a cyber 9/11.

Learn from these veterans of policy and technology development about how to implement best practices that can ensure your organizations investigative, defensive and offensive capabilities are always one step ahead of cyber enemies:

Speakers:

Dr. Kathleen L. Kiernan, CEO of Kiernan Group
Ronald E. Plesco, Jr., Esq. CEO, National Cyber Forensics and Training Alliance
Rob Schmidt, CEO, InfraGard National Members Alliance
Dr. Greg Rattray, Expert on National Security and Cyberspace

Date: Jul 08, 2010
Time: 11:00 am ET
Duration: 1 hour

If you are interested, but cannot attend, sign up anyway and you will be provided a link to watch the archived version.

View Webpages from the Past: Wayback Machine

When a hacker targets a system, they will usually use a tactic called reconnaissance to gather as much information as possible about the victim. Some hackers will use programs to download your website to search and view it offline. It is amazing how much information can be gleaned from some websites. Documents, contact information, even file structure, and exploitable directories are some targets of interest.

Many companies are more security conscious now and monitor what they put up on their websites. But, what if there was a complete copy of your website available from a year ago, or even 10 years ago? Enter Archive.org’s Wayback machine. Archive.org creates a backup copy of your website and saves it in archive form. Many websites can be viewed from years in the past all the way back to 1996. Want to read CNN or Foxnews news from 2000? You can find it on Archive.org. According to their website:

The Internet Archive is a 501(c)(3) non-profit that was founded to build an Internet library. Its purposes include offering permanent access for researchers, historians, scholars, people with disabilities, and the general public to historical collections that exist in digital format. Founded in 1996 and located in San Francisco, the Archive has been receiving data donations from Alexa Internet and others. In late 1999, the organization started to grow to include more well-rounded collections. Now the Internet Archive includes texts, audio, moving images, and software as well as archived web pages in our collections, and provides specialized services for adaptive reading and information access for the blind and other persons with disabilities.

The Wayback machine is powered by Sun technology, and can serve over 500 inquiries a second. Most people don’t know that their websites are being actively archived. This could be a security risk for you and your company. If you find that your site is in the archive and you want it removed, instructions can be found here.

R.A. Salvatore and Elder Scrolls Lead Designer Team Up

What do you get when you combine one of the top fantasy writers and one of the leading computer game designers? Project Mercury!

If you enjoy fantasy novels, chances are you know about R.A. Salvatore. He is a New York Times best-selling author and the masterful creator behind Drizzt, the Drow of the Icewind Dale trilogy and the Dark Elf Series. He has also worked with George Lucas and written Star Wars novels. He is an awesome writer. In fact I have read 4 of his novels in the last three weeks. You cannot put them down.

If you enjoy fantasy games, you have probably played Elder Scrolls Morrowwind and Oblivion. Ken Rolston was the lead designer behind both games. Oblivion is one of my favorite single player games. The freedom offered in the world to do almost anything you want is amazing. You can follow the main plot, run the thieves, fighters or mages guild or do all, or none of the above. Also, by adding a few mods; its replayablility is almost endless.

Salvatore and Rolston now work for 38 Studios and have signed an agreement with EA to create a RPG called “Project Mercury” and a MMO called Copernicus. According to their website:

Project Mercury begins an epic journey into a vast universe created by renowned fantasy author R. A. Salvatore and crafted under the artistic vision of Todd McFarlane. The RPG is being developed by Big Huge Games, a wholly-owned subsidiary of 38 Studios, under the creative leadership of Ken Rolston, lead designer of The Elder Scrolls III: Morrowind and The Elder Scrolls IV: Oblivion. Project Mercury sets the stage for limitless adventures in a master-crafted world, which will include the company’s upcoming MMO, Copernicus.

If you are a gamer, this is huge news and definitely something to keep an eye on.