Security experts for companies usually know a lot of confident employees who say that they do not use dangerous links, and therefore they are not exposed to cyber threats. Sometimes these employees use this argument when they are asked to disable the company’s security measures that impede work in one way or another. However, attackers often mask malicious and phishing links, trying to confuse both email filters and human observers. What you want is to force the victims (even if they search the URLs, as we repeatedly recommend) to click on one address that actually takes them to another. Here are the most common methods used by cybercriminals to hide malicious or phishing URLs.
The @ sign in the address
The easiest way to hide a real domain in an address is to use the @ sign in the URL. This is a completely legitimate icon that can be used to integrate login and password into a website address — HTTP allows you to send credentials to a web server via a URL, simply by using the format login:[email protected] .
If the data in front of the @ sign is incorrect and not suitable for authentication, the browser will simply drop it and redirect the user to the address located behind the @ sign. So, cybercriminals use this: they invent a convincing page title, use the name of a legal website in it, and put the actual address after the @ symbol. For example, look at the address of our blog, which is masked in this way
It looks like a page with a lot of words in the title, hosted somewhere in a Google domain, but the browser takes you to http://kaspersky.com/blog /.
Digits instead of IP address
In the previous method, attackers often try to confuse the user with the long page name in order to distract him from the actual address — because it still remains in the URL. But there is a way to completely hide it — by converting the IP address of the site to an integer. As you probably know, IP addresses are not very convenient to store in databases.
Therefore, at some point a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And nowadays, when modern browsers see a number in a URL, they automatically convert it to an IP address. In combination with the same @ sign, the actual domain is effectively hidden. This is what a link to our company website might look like:
Email Providers
Another way to hide your page behind someone else’s URL is to use ESP, that is, a service to create legitimate newsletters and other mailings. We have already written in detail about this method in one of our previous posts. In short, criminals use one of these services, create a mailing campaign, enter a phishing URL and, as a result, get a ready-made, clean address that has the reputation of an ESP company. ESP companies, of course, are trying to action this mis word of their service, but this does not always work.
Redirection via Baidu
The Chinese search engine Baidu has a rather interesting approach to displaying search results. Unlike Google, it does not give you links to sites, but instead creates links to itself with a redirect to the desired site.
That is, in order to mask a malicious URL as Baidu, cybercriminals just need to find the page (and this is quite simple if you enter the exact address), copy the link and paste it into a phishing email.
