Spoofing a Website Address: How to Obscure a URL

I have been asked recently about the dangers of clicking on unknown links in e-mails. This lead to a discussion on how hackers disguise website addresses or URLs. There are actually several tactics that spammers and hackers will use to disguise a website address. Today, I wanted to take a quick look at some of them.

Microsoft released a good article on how to recognize spoofed sites. Spammers will try to register website names that are close to the website they are trying to spoof. For example, misspelled words like Micosoft, or Mircosoft would be options for someone trying to spoof Microsoft. Another common tactic is to use the number “0” in place of the letter “O”. Or adding extra words in the website name works as well, like security-microsoft.com. Internet Explorer 8 tries to help you recognize these tactics by always highlighting the domain name in bold so you can verify the spelling.

Also, spammers will use very long names in links to disguise the actual site that they are trying to send you too. A website address (also called Fully Qualified Domain Name) can be up to 255 characters long. So when displayed in the address bar, it wraps so you cannot see the whole address. They will add some official looking directories in the name to make it look more legit. For example:

http://www.malwarebadsite.com/up_to_no_good/exploited_machines/…lots_of_random_junk…/Official/Microsoft/Security/Updates/. When displayed, you will only see the “/Official/Microsoft/Security/Updates/” part of the address.

Okay these ones you could catch if you scrutinize the address closely enough. But there are other ways to write a domain name. For example, you can use the IP address instead of the name. If you open a command prompt and type “ping google.com” you will see “pinging Google.com [72.14.204.103]”. You can take that number and place it into the Internet Explorer address bar and you will end up at Google.com. That one is well known, but how else can you write the address? Here are some other less known ways to write an internet address:

  1. DoubleWord (dword): Google.com in dword is 1208929383
  2. Hexadecimal: Google.com in Hex is 0X480ecc67 (convert the IP to hex and then add “0x” in the front so IE known that it is a Hex number.)
  3. Octal: Google.com in Octal is 0110.016.0314.0147 (Convert the IP address to Octal, and then add a “0” in front of each number so IE knows that it is octal.)

Go ahead, copy and paste any of the numbers above in your IE browser and you will end up at Google.com. Or you can “ping 1208929383” from a command prompt and you will get a response from 72.14.204.103. Firefox seems much better than IE at parsing these out, placing these numbers in Firefox did not seem to work, I got a DNS error or BAD ADDRESS error message. Hackers will use the numbered IP addresses instead of a domain name to further mask the malware site.

If you want to know more, an excellent article for converting IP addresses to other forms and full instructions on how to do so can be found at PCHelp.com. Two sites that are helpful in converting the IP address are IPAddressLocation and IPAddressConverter.

One last point to keep in mind. Website spoofing is not just used by vicious hackers. Sometimes your users may be using this tactic also. When you set up your firewall filter and block sites that you don’t want your users on, some routers will allow users to bypass the filter by using the spoofing tactics listed above. So if you want to keep people off youtube.com, you may need to also block the actual IP address and possibly the other variants listed above as well. I have seen SOHO setups where specific sites were blocked by name, allowing no access to the domain name, but you could still get to them by putting in the IP address.

View Webpages from the Past: Wayback Machine

When a hacker targets a system, they will usually use a tactic called reconnaissance to gather as much information as possible about the victim. Some hackers will use programs to download your website to search and view it offline. It is amazing how much information can be gleaned from some websites. Documents, contact information, even file structure, and exploitable directories are some targets of interest.

Many companies are more security conscious now and monitor what they put up on their websites. But, what if there was a complete copy of your website available from a year ago, or even 10 years ago? Enter Archive.org’s Wayback machine. Archive.org creates a backup copy of your website and saves it in archive form. Many websites can be viewed from years in the past all the way back to 1996. Want to read CNN or Foxnews news from 2000? You can find it on Archive.org. According to their website:

The Internet Archive is a 501(c)(3) non-profit that was founded to build an Internet library. Its purposes include offering permanent access for researchers, historians, scholars, people with disabilities, and the general public to historical collections that exist in digital format. Founded in 1996 and located in San Francisco, the Archive has been receiving data donations from Alexa Internet and others. In late 1999, the organization started to grow to include more well-rounded collections. Now the Internet Archive includes texts, audio, moving images, and software as well as archived web pages in our collections, and provides specialized services for adaptive reading and information access for the blind and other persons with disabilities.

The Wayback machine is powered by Sun technology, and can serve over 500 inquiries a second. Most people don’t know that their websites are being actively archived. This could be a security risk for you and your company. If you find that your site is in the archive and you want it removed, instructions can be found here.

Firefox Releases Another Security Patch

If you upgraded your Firefox last week, It’s time to upgrade again. Mozilla released another security update on April 1st, Firefox 3.6.3. This patch plugs a hole exposed in the CanSecWest Pwn2Own security contest last month.

Firefox is the first company to release security updates to patch vulnerabilities exposed in the contest:

“Just one week after a U.K.-based hacker known as “Nils” broke into a 64-bit Windows 7 machine with a Firefox vulnerability, the open-source group shipped Firefox 3.6.3 to plug the security hole.”

For more information see the ZDnet Blog.

Security Update for Firefox

Mozilla moved the scheduled Firefox update up a few days to address a zero-day exploit. If you use the Firefox browser, please update to the 3.6.2 release. The new version addresses this exploit.

I had an error on the security patch for mine, so I had to download the full version, then reboot. Once I rebooted the error went away.