Following a Spam trail: bogus URLs

Discussion in 'malware problems & news' started by Rmus, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If I display this hyperlink to the Wilders main page, are you sure you will go there if you click?

    Wilders Security Forums

    If you click, you will be taken to the Google Home Page. Here's how, if you don't already know HTML code.

    If you look at the source code of any web page, you will see that the hyperlink consists of two parts.

    Code:
    a href="[COLOR="Blue"]http://www.google.com[/COLOR]">[COLOR="DarkRed"]Wilders Security Forums[/COLOR]</a>
    
    I've indicated in blue the link itself, the http address. In red is what will display on the web page. As you can see, it is very easy to fake a hyperlink. If you hover the mouse over the hyperlink, the real URL will be revealed, although it's possible for a cybercriminal to disable mouse actions with certain scripts.

    facebook_wilders.gif

    Bogus hyperlinks are common in emails. Here is one I found today in my Yahoo account Spam folder:

    facebook_yahoo.gif

    I showed this email to three people and asked what they would do if they received such a thing. All said the same thing: they wondered what the Facebook message was, and all said they would click to read it.

    Well, a surprise would be in store, for that link was fake:

    facebook_yahoomouse.gif

    If the browser has javascript whitelisted, the user sees this page after clicking:

    facebook_enter.gif

    If the user clicks on the "Enter" a Pharmacy web site loads:

    faceboook_pharmacy.gif

    If javascript is enabled globally, clicking on the hyperlink in the email will take the user directly to the same Pharmacy page, since there is a script on the page to load it automatically.

    In this case, as long as the user clicks, having javascript disabled won't prevent the Pharmacy page from eventually loading.

    Fake hyperlinks are one of the easiest ways to get users to these sites.

    Another way of using hyperlinks is to employ redirection/referral, but that is another topic.

    ----
    rich
     
    Last edited: Jun 29, 2010
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes it's a big problem for most people, in my experience with them :(

    Even with scripts enabled on here, when i hovered over your Wilders Security Forums hyperlink nothing appeared.

    Now and then i open emails that look as if they might contain a nasty etc, or a hyperlink to one. Mostly they are all disguised in the way you describe with some innocent looking text. I always copy/paste these into Metapad and get the true www.

    I don't have javascript etc enabled globally, and referrers are blocked by Ghostery. So for me clicking anything and everything isn't a danger, but for others it can be, and is.

    I'll show this thread to several people i know, and hope it shakes them up a bit. Or hopefully a bit more than a bit ;)
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Which browser? Opera has a setting for displaying that - it's not script-dependent. IE6 shows the link in status bar when hovering the mouse.

    In my email example, though, it is a user vulnerability. That is, no matter the script setting, if the user keeps clicking, the Pharmacy page will eventually load!

    ----
    rich
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    FF, and i thought you meant i'd see something like this when hovering over the link

    r.gif

    That works without scripting, and with IE6, maybe it's CSS ?

    And so does FF in the status bar, but NOT hovering as above.

    Absolutely, agreed, and they do :(

    *

    Edit - Extra status bar info
     
    Last edited: Jun 29, 2010
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In Opera, checking "Show Tooltips" displays hyperlinks when hovering the mouse:

    tooltips.gif

    From the Opera Help file:

    IE6 displays the real link in the Status Bar when you hover the mouse:


    ie_statusbar.gif

    ie_hover.gif
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I hover over the Wilders hyperlink in Safari 5.0 on WinXP and no signs of the link here either:)
     
  7. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    You might be interested to use URL Tooltip extension.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Did you see my edit ? ;)

    @Sadeghi85

    Mentions a 5 second to vanish delay on their www, which put me off at first. But i installed it anyway to test, and as soon as you move your mouse away it's gone :thumb:

    Thanks :) it works just fine.
     
  9. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    No, that's 5 second tooltip timeout(meaning the tooltip will disappear after 5 seconds while the mouse isn't away). There is a No Tooltip Timeout extension for those who are still using 3.0.* .

    :thumb:
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Sadeghi85

    Yes thanks got that ;)
     
  11. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Great stuff Rmus.

    One habit I have gained over the years is to glance at the Firefox Status Bar to see where it goes. That Google link was reveled in the Status Bar.

    My e-mail client also shows the actual link in it's status bar. I recently received a Facebook invite from Angelina Jolie. :)

    Of course it was fake. The URL did not go to Facebook. In fact the URL it went to has been taken down.
     
  12. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I always check by hovering. In case hover is disabled, what will result?

    To my mind, nothing will be revealed and that in itself should also serve as a warning.

    ...​
    (Slightly off-topic, another point worth mentioning is the use of URL shorteners.)
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The only examples of this I've seen of disabling mouse actions in exploits in the wild are those targeting IE, where a VBScript does the work. VBScript in web page code, of course, won't affect non-IE browsers.

    Excellent policy/procedure!

    There are a number of online shortened url revealers, such as

    http://url.waglo.com/

    Paste in the 'tinyurl' w/o the 'http://'


    ----
    rich
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very good habit!

    Here's a situation a bit more problematical to deal with. In the same Facebook email I received, there is a second fake URL at the hyperlink "here" where the reader can click to unsubscribe -- evidently aimed at those who aren't Facebook users, a bit miffed at getting such a message, and then decide to unsubscribe:

    facebook_here.gif

    Well, if clicking on "here" the user would wind up on the same Pharmacy site.

    How many people would check that hyperlink with a mouse hover? And would everyone think that the unsubscribe link should necessarily go to a Facebook URL?

    One policy advocated in many anti-spam articles is, Never click to unsubscribe -- it just shows the sender that your address is a legitimate one.

    ----
    rich
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Nearly everyone i've known :D

    They would :(
    Exactly !

    I'm sick of showing/telling people, some just keep on forgetting, or something ;)
     
  16. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    A policy that I have always followed. Unfortunately not every one does. At one time or another I have had friends who, regardless of my advise, clicked that link (any link for that matter) :argh: They just got more spam and I say I told ya so... ;) So far they have been lucky or should I say I've been lucky only one friend got him self badly infected. He is really careful now. :cool:

    One thing about these hidden links. Some times they include a code or your e-mail address so if you click it they will know they got a live one. Many also have those hidden image web bugs that do the same thing just by opening the messages. Thankfully most clients and web mail services protect against that. I know my e-mail client does.

    I often dissect these messages and check the links, more often the not, the site has already been shutdown. Once in a while I get a live one. That Canadian Pharmacy is by far the most frequent. When CastleCops was around I used to submit my spam, even got a few uniques once in awhile. These days I don't bother. I do collect them. They come in handy for retraining my e-mail clients Bayesian filters.
     
  17. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    On the slightly off-topic, shortened URL's, which I think is quite on topic.

    I don't recall getting spam that used a shortened URL but they must be out there and part of the spam trail. I am would hope most of the legit URL shortener services do checks to prevent this, but there are a boat load of these services out there.

    My favorite is: http://longurl.org/

    They also have a Greasemonkey script that expands these URLs. It is quite handy.
     
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    The problem with obfuscated or bogus URL is an old one...

    The issue is that URL's can be issued with a multitudes of method...

    Typically URLs can be Obfuscated in at least three ways to avoid recognition
    of the actual destination address.

    A URL may consists of meaningless or deceptive text.
    Located after "http://" and before an "@" symbol.

    The domain name can be expressed as an

    1. Standard IP address
    2. dotted-decimal
    3. dword
    4. octal
    5. hexadecimal

    all of these formats have variants such as
    base 10, 16, 32 , 64 and so on...

    Characters in the URL can be expressed as hexadecimal numbers.

    To Better understand these obfuscation methods look at the following example common with spammers and hackers who do not wish for you to understand the true destination of the link.

    Look at the following:
    In this instance it is the regular Google URL: <http://www.google.com>

    1. First convert it to it's own native IP: <http://64.233.161.104> obtain the last known IP address for any domain
    2. Then add some bogus authentication gibberish such as: <http://www.yahoo.com@64.233.161.104>
    3. Then you convert the real URL into a single number so it looks like a genuine document on the Yahoo.com web site:

    You get this: <http://www.yahoo.com@1089053032> Paste this link in your browser, and where does it go? directly to Google.

    You can read more on this on my article on secured web browsing here:
    http://www.hermes-computers.ca/index.php?pid=46
     
  19. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    That was an interesting post.

    Even with obfuscation, the real destination will be reviled in the Firefox status bar.
     
    Last edited: Jul 8, 2010
Loading...
Thread Status:
Not open for further replies.