So to compliment our Phishing Techniques blog post, here’s a little more information on how domain names are used to aid these criminals in stealing your user information. It’s all about mind games for the most part, their goal is to make you believe you’re on a legitimate authority site securely entering your login info. One thing all users look for is the domain name, does it look familiar if so, and the site seems identical to the original one then they pretty much hand over their details to the phisher.

But how do users mistake a phishers domain name for a real one? Take a look at the two URL’s below, the first takes you to the Yahoo mail login page, where as the second, at a quick glance seems to do the same thing right?

https://login.yahoo.com/config/mail?.intl=us

https://login.yahoo.com/config/mailkl.nl/-us

WRONG! The second to a directory for the site mailkl.nl (.ml being the domain extension for the Netherlands) Now this of course was not a live example as Yahoo may take offense and sue us, but it shows you how far phishers will go to confuse you, what with domain extensions you have probably never heard of, this trick can be carried out over and over again. But this is only one basic example of how they trick you. There was a funny article posted not too long ago about an all new phishing technique, it read as follows;

Until now customers have been able to check a link in an email by moving the mouse over it, thus revealing a fraudulent URL addresses. But this new method shows the legitimate web address of the bank in question. - posted late 2007

Urrr, this has been used by SEOs for several years now, how to hide the status bar message when hovering over names to show a fake url was discusses in our forum a while back too, it’s nothing new at all, i knew of it back in 2001, it’s not at all a new technique which also shows how far behind people are as apposed to these phishers. They just have not been enlightened enough and companies online wont make a big hype about it so as not to scare their clients, it’s a mess and no one is doing anything to clean it up.

(IDN spoofing) - to use Unicode URLs that render in browsers in a way that looks like the original web site address but actually link to a fake web site with a different address.

You would think that it’s safe to assume the url in your address bar is the real url to the real site you’re looking at. Think again. Domains can be faked, even whois info can be spoofed using xss exploits, similar to the one posted by Klaus

Next time you think you’re safely entering your paypal login details on the oh so secure paypal login page, think twice about how you found yourself on that paypal page, if you did not type in the url by hand into the address bar, I would say you’re taking a risk. Did you know attackers can override your bookmarks with one of their own, titles exactly the same as the one in there? I did not think so.