Following a Spam trail: bogus URLs

[Rmus]

If I display this hyperlink to the Wilders main page, are you sure you will go there if you click?

Wilders Security Forums

If you click, you will be taken to the Google Home Page. Here's how, if you don't already know HTML code.

If you look at the source code of any web page, you will see that the hyperlink consists of two parts.

Code:

a href="http://www.google.com">Wilders Security Forums</a>

I've indicated in blue the link itself, the http address. In red is what will display on the web page. As you can see, it is very easy to fake a hyperlink. If you hover the mouse over the hyperlink, the real URL will be revealed, although it's possible for a cybercriminal to disable mouse actions with certain scripts.



Bogus hyperlinks are common in emails. Here is one I found today in my Yahoo account Spam folder:



I showed this email to three people and asked what they would do if they received such a thing. All said the same thing: they wondered what the Facebook message was, and all said they would click to read it.

Well, a surprise would be in store, for that link was fake:



If the browser has javascript whitelisted, the user sees this page after clicking:



If the user clicks on the "Enter" a Pharmacy web site loads:



If javascript is enabled globally, clicking on the hyperlink in the email will take the user directly to the same Pharmacy page, since there is a script on the page to load it automatically.

In this case, as long as the user clicks, having javascript disabled won't prevent the Pharmacy page from eventually loading.

Fake hyperlinks are one of the easiest ways to get users to these sites.

Another way of using hyperlinks is to employ redirection/referral, but that is another topic.

----
rich

[CloneRanger]

Yes it's a big problem for most people, in my experience with them

Even with scripts enabled on here, when i hovered over your Wilders Security Forums hyperlink nothing appeared.

Now and then i open emails that look as if they might contain a nasty etc, or a hyperlink to one. Mostly they are all disguised in the way you describe with some innocent looking text. I always copy/paste these into Metapad and get the true www.

I don't have javascript etc enabled globally, and referrers are blocked by Ghostery. So for me clicking anything and everything isn't a danger, but for others it can be, and is.

I'll show this thread to several people i know, and hope it shakes them up a bit. Or hopefully a bit more than a bit

[Rmus]

Quote:

Originally Posted by CloneRanger

Even with scripts enabled on here, when i hovered over your Wilders Security Forums hyperlink nothing appeared.

Which browser? Opera has a setting for displaying that - it's not script-dependent. IE6 shows the link in status bar when hovering the mouse.

Quote:

I don't have javascript etc enabled globally, and referrers are blocked by Ghostery. So for me clicking anything and everything isn't a danger, but for others it can be, and is.

In my email example, though, it is a user vulnerability. That is, no matter the script setting, if the user keeps clicking, the Pharmacy page will eventually load!

----
rich

[CloneRanger]

Quote:

Which browser?

FF, and i thought you meant i'd see something like this when hovering over the link



That works without scripting, and with IE6, maybe it's CSS ?

Quote:

IE6 shows the link in status bar when hovering the mouse

And so does FF in the status bar, but NOT hovering as above.

Quote:

In my email example, though, it is a user vulnerability. That is, no matter the script setting, if the user keeps clicking, the Pharmacy page will eventually load!

Absolutely, agreed, and they do

*

Edit - Extra status bar info

[Rmus]

In Opera, checking "Show Tooltips" displays hyperlinks when hovering the mouse:



From the Opera Help file:

Quote:

When you hover certain elements in Opera or on Web pages with your mouse,
Opera displays small tooltips that add information about the element. If you do not want
to see them, uncheck the "Show tooltips" option.

IE6 displays the real link in the Status Bar when you hover the mouse:

[SweX]

I hover over the Wilders hyperlink in Safari 5.0 on WinXP and no signs of the link here either

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

Even with scripts enabled on here, when i hovered over your Wilders Security Forums hyperlink nothing appeared.

You might be interested to use URL Tooltip extension.

[CloneRanger]

@Rmus

Did you see my edit ?

@Sadeghi85

Quote:

You might be interested to use URL Tooltip extension.

Mentions a 5 second to vanish delay on their www, which put me off at first. But i installed it anyway to test, and as soon as you move your mouse away it's gone

Thanks it works just fine.

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

Mentions a 5 second to vanish delay on their www, which put me off at first.

No, that's 5 second tooltip timeout(meaning the tooltip will disappear after 5 seconds while the mouse isn't away). There is a No Tooltip Timeout extension for those who are still using 3.0.* .

Quote:

Originally Posted by CloneRanger

Thanks it works just fine.

[CloneRanger]

@Sadeghi85

Quote:

the tooltip will disappear after 5 seconds while the mouse isn't away

Yes thanks got that

[chrisretusn]

Great stuff Rmus.

One habit I have gained over the years is to glance at the Firefox Status Bar to see where it goes. That Google link was reveled in the Status Bar.

My e-mail client also shows the actual link in it's status bar. I recently received a Facebook invite from Angelina Jolie.

Of course it was fake. The URL did not go to Facebook. In fact the URL it went to has been taken down.

[vasa1]

Quote:

Originally Posted by Rmus

...If you hover the mouse over the hyperlink, the real URL will be revealed, although it's possible for a cybercriminal to disable mouse actions with certain scripts.
...
----
rich

I always check by hovering. In case hover is disabled, what will result?

To my mind, nothing will be revealed and that in itself should also serve as a warning.

...

(Slightly off-topic, another point worth mentioning is the use of URL shorteners.)

[Rmus]

Quote:

Originally Posted by vasa1

I always check by hovering. In case hover is disabled, what will result?

The only examples of this I've seen of disabling mouse actions in exploits in the wild are those targeting IE, where a VBScript does the work. VBScript in web page code, of course, won't affect non-IE browsers.

Quote:

To my mind, nothing will be revealed and that in itself should also serve as a warning.

Excellent policy/procedure!

Quote:

(Slightly off-topic, another point worth mentioning is the use of URL shorteners.)

There are a number of online shortened url revealers, such as

http://url.waglo.com/

Paste in the 'tinyurl' w/o the 'http://'


----
rich

[Rmus]

Quote:

Originally Posted by chrisretusn

Great stuff Rmus.

One habit I have gained over the years is to glance at the Firefox Status Bar to see where it goes. That Google link was reveled in the Status Bar.

Very good habit!

Here's a situation a bit more problematical to deal with. In the same Facebook email I received, there is a second fake URL at the hyperlink "here" where the reader can click to unsubscribe -- evidently aimed at those who aren't Facebook users, a bit miffed at getting such a message, and then decide to unsubscribe:



Well, if clicking on "here" the user would wind up on the same Pharmacy site.

How many people would check that hyperlink with a mouse hover? And would everyone think that the unsubscribe link should necessarily go to a Facebook URL?

One policy advocated in many anti-spam articles is, Never click to unsubscribe -- it just shows the sender that your address is a legitimate one.

----
rich

[CloneRanger]

@Rmus

Quote:

How many people would check that hyperlink with a mouse hover?

Nearly everyone i've known

Quote:

And would everyone think that the unsubscribe link should necessarily go to a Facebook URL?

They would

Quote:

One policy advocated in many anti-spam articles is, Never click to unsubscribe -- it just shows the sender that your address is a legitimate one.

Exactly !

I'm sick of showing/telling people, some just keep on forgetting, or something

[chrisretusn]

Quote:

Originally Posted by Rmus

How many people would check that hyperlink with a mouse hover? And would everyone think that the unsubscribe link should necessarily go to a Facebook URL?

One policy advocated in many anti-spam articles is, Never click to unsubscribe -- it just shows the sender that your address is a legitimate one.

A policy that I have always followed. Unfortunately not every one does. At one time or another I have had friends who, regardless of my advise, clicked that link (any link for that matter) They just got more spam and I say I told ya so... So far they have been lucky or should I say I've been lucky only one friend got him self badly infected. He is really careful now.

One thing about these hidden links. Some times they include a code or your e-mail address so if you click it they will know they got a live one. Many also have those hidden image web bugs that do the same thing just by opening the messages. Thankfully most clients and web mail services protect against that. I know my e-mail client does.

I often dissect these messages and check the links, more often the not, the site has already been shutdown. Once in a while I get a live one. That Canadian Pharmacy is by far the most frequent. When CastleCops was around I used to submit my spam, even got a few uniques once in awhile. These days I don't bother. I do collect them. They come in handy for retraining my e-mail clients Bayesian filters.

[chrisretusn]

On the slightly off-topic, shortened URL's, which I think is quite on topic.

I don't recall getting spam that used a shortened URL but they must be out there and part of the spam trail. I am would hope most of the legit URL shortener services do checks to prevent this, but there are a boat load of these services out there.

My favorite is: http://longurl.org/

They also have a Greasemonkey script that expands these URLs. It is quite handy.

[Hermescomputers]

The problem with obfuscated or bogus URL is an old one...

The issue is that URL's can be issued with a multitudes of method...

Typically URLs can be Obfuscated in at least three ways to avoid recognition
of the actual destination address.

A URL may consists of meaningless or deceptive text.
Located after "http://" and before an "@" symbol.

The domain name can be expressed as an

1. Standard IP address
2. dotted-decimal
3. dword
4. octal
5. hexadecimal

all of these formats have variants such as
base 10, 16, 32 , 64 and so on...

Characters in the URL can be expressed as hexadecimal numbers.

To Better understand these obfuscation methods look at the following example common with spammers and hackers who do not wish for you to understand the true destination of the link.

Look at the following:
In this instance it is the regular Google URL: <http://www.google.com>

1. First convert it to it's own native IP: <http://64.233.161.104> obtain the last known IP address for any domain
2. Then add some bogus authentication gibberish such as: <http://www.yahoo.com@64.233.161.104>
3. Then you convert the real URL into a single number so it looks like a genuine document on the Yahoo.com web site:

You get this: <http://www.yahoo.com@1089053032> Paste this link in your browser, and where does it go? directly to Google.

You can read more on this on my article on secured web browsing here:
http://www.hermes-computers.ca/index.php?pid=46

[chrisretusn]

That was an interesting post.

Even with obfuscation, the real destination will be reviled in the Firefox status bar.