Spotting fake Web Addresses
Aunty Jo received an email with some supposed vouchers for Sainsbury’s. She sent it to me by mistake and then messaged me to tell me it was probably fake. I said I could tell by the , she asked me how. The URL she sent over was
http://sainsburys.co.uk-claimnow.com.
Obviously there are a lot of ways an attacker can get the better of you but tricking you into going to an unsafe web site or downloading something unsafe ‘first step’ to just about every attack you’re likely to be encounter (and be able to prevent).
What is a URL
It stands for “Universal Resource Locator” but you’ll more commonly hear is just called a “web address”.
You’ll certainly recognise it from the top of your web browser:
“Web address” is actually a very good name for it as it really is an address, it works very much likea street address. e.g.
10, High Street,
Kensington,
London
England
When you try to resolve a street address to a real, concrete building have to read it back-to-front. If you’re travelling to this one then you’d go to England, then London inside England, then Kensington inside that and then High Street and building number 10.
The URL
Let’s look at the URL again in a bit more detail.
https://en.wikipedia.org/wiki/Uniform_Resource_LocatorAll web pages start with http:// or https://, so we can forget about that. This is actually the “protocol”, but is called the “scheme” when we’re talking about websites, for good reasons I’m sure.
You might see
file:///sometimes, this is referring to your computer. If you were to open a file on your hard drive in the browser, then you’d see this in the address bar.
Next look for the first forward-slash after the _scheme. The bit between the http(s):// and the first forward slash is what we’re interested in (with two exceptions that’ll we’ll worry about later). In this example it’s
en.wikipedia.orgThis is called the domain. You can buy these to use for whatever you want. org is called the “top level domain” and is often abbreviated to TLD . TLDs are maintained by big multinational organisations. wikipedia.org is the domain name. Anybody, good or bad, can buy these for whatever use they want. The en bit in front is called a “sub-domain”. You can put as many sub-domains on a domain you own as you want, or none at all. Notice that these are all separated by a single ..
The computer, as with the street address, reads this back-to-front and uses . to separate the sections. So, it’ll see org first, and send the request to the org bit of the Internet, then within that it’ll look for wikipedia and then, within wikipedia it’ll look for the en bit. If you change the en to zh for example, you’ll get the Chinese version of Wikipedia. This is en in wikipedia in org.
en.wikipedia.io has nothing to do with en.wikipedia.org.
The rest of the URL, after the .org/ tells the server you arrive at what you actually want. Think of it as akin to a department, room number, person etc. within a single building.
Hacking a street address
Imagine Kens Tools
Ken’s Tools
High Street,
Kensington,
London
England
It’s OK, you visit Kens Tools all the time, so no problem. Maybe there’ll be a coupon through your door telling you to go there for a 50% discount if you visit.
50% Off at Kens Tools!!!
Ken’s Tools
High Street,
Kensngton,
London
England
A quick glance looks good, but if you were to hop in a taxi and go there as fast as you could, you wouldn’t end up at Ken’s Tools in Kensington, you’d end up at some other place in some town called Kensington. This is because street addresses are hierarchical and are resolved from the bottom to the top.
Back to the URL Aunty Jo sent over.
http://sainsburys.co.uk-claimnow.comLet’s re-write it so we can see the sections more clearly:
http:// ← sainsburys ← co ← uk-claimnow ← com
Reading backwards it wants to take you to com first, then something called uk-claimnow and then, inside that co and finally sainsburys. If it was http://claimnow.com.sainsburys.co.uk then it’d be odd, but probably legit because it’s inside Sainsbury’s domain.
Once you’re there it could be that the uk-claimnow.com might do something like try to get you to sign up for something, or convince you to install something or even do something very clever like show the real Sainsbury’s site through its site and log all your key presses (which might include your credit card number, passwords or whatever).
So, in order to figure out if a URL is probably legit, read the domain from right to left.
The Two Exceptions
I said that there were two exceptions, here they are.
Port numbers
The domain can include an integer called the “port number”. What it does isn’t really important, just that you might see it. If there is one it’ll be written like this:
http://www.example.com:1234/
If it is there then be suspicious because you probably won’t see it, it it’s there then ask the question “Why?”. You can ignore it if it’s one of there combinations:
http://www.example.com:80/somthinghttps://www.example.com:443/something
Username and passwords
In old sites, you can pass your user-name and password to the site in the URL. We don’t do that any more because it’s stupid but HTTP still supports it anyway. If you do this then the URL will look like:
http://username:password@example.com/something
This can also be used to obscure the true destination because the user-name can be anything (almost). This means I could send you a URL like:
http://www.sainburys.com:a@sainsburys.co.uk-claimnow.com
Which at first glance looks OK, but check it again.
I can even do tricks like adding loads of characters to make it the @ symbol move off the screen:
http://www.sainsburys.com/fruits/oranges/special-offers:just-lots-of-text-so-you-can-not-see-that-i-am-really-a-scam-url@sainsburys.co.uk-claimnow.com
If I past this into the browser I see something that looks perfectly reasonable because the right hand side is pushed off:
To see it all I’d have to copy it out and past it into notepad. The hacker is relying on your not noticing until it’s too late.
Nasty stuff.
What to do?
OK, so you don’t know all the legitimate URLs in the world. Big companies will probably have my-big-company.com or my-big-company.co.uk but smaller ones might not. They might be .net, .org, .io or one of many others (I’d stay clear of .xxx though).
If you are unsure, don’t click the link.
Go to Google or Bing and search for the company yourself. You’ll see search results, with paid advertisers at the top.
Don’t click the one with the Ad symbol as these are paid for and could be anybody, look at the top results under that. You can see the URL printed there too. In this case, the advert is fine as well as they both have the same URL.
Other than that, it’s just detective work. Standard rules, if it’s too good to be true, it probably is. If the website looks ‘off’ or slightly different to what you’re used to don’t type in your credentials or credit card number or anything.
Think about what you would do if someone was on the end of the phone. What would make you trust them? To they sound right? Do they know your name etc.? Are they asking to many questions? Is there a weird noise on the line or unusual lag?
Ultimately, you can phone a company and confirm what their site address is. I’ve done this before.
Anyhow, hope this help and makes some sort of sense.
What can go wrong
- Being a pain in a arse. Just throwing loads of adverts at you. Nothing that shutting your browser down won’t cure.
- Click-baiting. Advertisers pay sites per advert rendering, so just getting you on the page might earn them a fraction of a penny.
- Try to sell you something that is legit, but under false pretences.
- Get you to buy something or some service that is worthless. (Often convincing you that your computer is broken in some way.)
- Convincing you to download an run something that will give them access to your computer in some way. They might use it just to vandalise your computer, maybe steal information about you like bank details etc., maybe encrypt your whole drive and demand money off you to decrypt it (look up ransomware).
- Maybe use your computer to assist in some other crime.
