Phishing refers to fraudulent email messages designed to trick you into providing personal information. As part of the scam, the links in the email message do not take you where they appear to. Instead you are taken to a web site that looks real but exists on a computer controlled by the bad guys. 

If you have any reason to suspect that an email message is phony, always go directly to the sending company's web site on your own. That is, if you suspect a message that appears to be from Citibank (for example) is a scam, then verify it by typing "www.citibank.com" into your web browser. Never, ever click on the link in the email message. The rest of this page explains the ways that links are toyed with to fool you as to their real destination.  

There are four independent avenues of trickery:

1. Using a domain name that appears to belong the company being scammed
2. Playing technical tricks with the link (URL)
3. Exploiting known bugs in Internet Explorer and other software
4. And perhaps the worst of all, DNS poisoning

All are explained below.

Domain Name Tricks

It can be hard to know if a domain really belongs to the organization it appears to. 

For example, the television network that airs 60 Minutes owns "cbs.com". But there is no guarantee that "cbsnews.com" belongs to them too (it does) or "cbs-news.com" (it does not) or "cbstoday.com" (it does not) or "cbsnewsupdate.com" (does not yet exist). Then too, everything is not a "dot com". For example, "cbsnews.org" is not associated with the television network, even though "cbsnews.com"is.

Below are some real life scams that embed a real domain name inside a fraudulent one: 

• The domains "eBay-secure.com" and "authebay.net" and "ebayserver.net" are not associated with eBay. The latter is registered to someone in China with a gmail address. "authebay.net" was eventually abandoned, after it had served its scam purpose.
   
• "baltimoreorioles.com" is not the web site of the baseball team in Baltimore. The person/company that owns this domain has chosen to hide their identity. The baseball team is "orioles.com".
   
• The domains "cgi-paypal.us" and "paypal-cgi.us" are not associated with Paypal. Neither is "help-paypalservice.tk" which is registered in the country of Tokelau that, conveniently, does not report the actual owner of domains.
   
• The domains "www.securecitibank.us" and "www.citi-accountonline.com" and "citisupportteam.biz" are not associated with Citibank
   
• The domain "earthlink-renew.net" is not associated with EarthLink, the ISP. It is owned instead by Peter Buchwald of Weston, AL (jpconsult@usa.com).
   
• The domain "nortonantivirus.com" is not associated with Symantec or the Norton Anti-Virus program. It is owned by someone who does not provide their name and has an email address in Russia. The domain was registered by joker.com which is often used by bad guys. As of January 2006, it gets forwarded to antivirusdirectory.com which is also not associated with any anti-virus software vendor but is instead owned by Bardenko Roman of Firenze Italy.
   
• Nothing is more popular than You Tube. URLs that look like it have an extra "L" as in "youltube". There is, at least, a .info and .com youLtube.
   
• On November 8, 2005 eBay tried to get rid of the scam web site "ebaychristmas.net". On November 25th, they were still trying when someone reported the phishing web site to eBay. Four days later, eBay responded to that the email message was legitimate. It was not, and this got reported in the press. eBay must be such a large organization that the left hand does not know what the right hand is doing. And, at least one hand, needs some more technical training. See eBay Fooled by Fast-moving Phishing Scam by Netcraft.
   
• The domain bankfirsttennessee.com is not associated with First Tennessee Bank whose actual domain name is firsttennessee.com. The owner of the phony domain is Nathan Eltz  at nathaneltz3@hotmail.com.
  
  Note: I would be very hesitant in using online banking if you are a First Tennessee Bank customer. For one thing, I tried to report this fraud on November 7, 2005 and there was no relevant contact listed on their web site to report these scams. The FAQ on their web site has this question: Is Banking Online secure? The bank answer is:
  "Absolutely. Each time you log in to Banking Online, one secure connection is opened to the bank. This connection is protected using Secure Sockets Layer (SSL) 3.0, a security protocol that prevents eavesdropping, tampering, and message forgery over the Internet. Additional protection is provided using firewall technology. Firewalls monitor all data traffic to and from First Tennessee, ensuring that only known users are able to gain access." 
  This wrong, for many reasons. 
   
• The domain "citizens-friends.com" is not associated with Citizens Bank (which is citizensbank.com). It is owned by Tara Hall of Tampa, Florida.
   
• The domain "yahoo-billing.com" was not associated with Yahoo. However, after it was used by scammers, Yahoo acquired the name and now insures that it goes nowhere. Note that "yahoo-inc.com" appears to actually belong to Yahoo.
   
• The domain "chase.onlinecustomer.info" is not associated with Chase bank.
   
• The domain www-signin-ebay-com-ws-ebay-isapi-dll-signin.122.pl is not where you sign in to an eBay account. It is really 122.pl.

There are many valid domain suffixes (like the ".info" above) and even large organizations, that should know better, fail to reserve all the possible suffixes leaving an opening for scammers. For example, the web site of the Wall Street Journal is wsj.com. But do the "wsj" domains with other suffixes also belong to the newspaper (or really to Dow Jones which owns the paper)?

Thus, if a scammer sends you to wsj.info, for example, any data you enter into that web site goes to a man named Roman Mochejski in Poland.  

Some of the examples above illustrate that dashes are part of a domain name, just like letters and numbers. 

In determining who really owns a domain name, the rightmost two parts of the name are all that matters, and the only thing that determines the rightmost two parts are periods. Thus a web site name such as "www.ebay.scammer.com" is really "scammer.com" and has nothing to do with eBay. 

Should you see "payments.citibank.com" (I made this up) that would be a real address belonging to Citibank. Likewise "news.cbs.com" (I made this up too) would belong to CBS. If you purchase something from Dell's web site, the purchase is done at a URL that starts with "ecomm.dell.com" which belongs to Dell (real example).

A phishing email once used "paypal.com.login-user2719.info" to fool people into thinking they were dealing with Paypal. The actual domain in this case is "login-user2719.info" which belonged to Andrew Fischba in Fraser, CO (andrewpfischba@yahoo.com). Holly Robb of Utah (zumzum@mailmoka.ro) thought this was a great idea and used " www.paypal.com.login-user108.info" in a phishing email message a couple days later. I've also seen "paypal.signin04.com" used.

A longer example from an eBay phishing email is "verfyer-acunte-ebay-com.keymachine.de" which does not belong to an eBay verifying system but instead belongs Keyweb AG in Germany.

Again, the critical parts of the names above are "scammer.com" and "citibank.com" and "cbs.com " and "dell.com" and "login-user2719.info". Anything to the left of this is irrelevant in determining the organization that owns the name.

Another tact used by the bad guys is to substitute the letter "L" , the letter "I" or the number One to fool you about the true name of a domain. For example, instead of citibank.com (spelled correctly), they might use cltlbank.com (lower case "L") or c1t1bank.com (number one) or ClTlBANK.COM (lower case "L" very well hidden). Likewise, Payal might end with the number one ( paypa1.com) or an upper case "i"( paypaI.com ).

And, two Vs look a lot like a W. See More fake "double-V" domains popping up... from Sunbelt Software.

Yet another trick is to use a domain that looks real and make a web site that looks real, but nonetheless is fake. Take, for example, someone interested in transportation in the state of New Jersey. The real web site is www.njtransit.com.. However, there is a web site called newjerseytransit.com that appears, at first glance, to be real, but it is not. Likewise the web site deltaair.com looks like it might be Delta Airlines, but it is not. Delta's domain is delta.com now, in the early days of the Internet it was delta-air.com

And, of course, if you type a URL manually rather than using a Favorite/Bookmark, you can make a spelling mistake. People reserve common mis-spellings of popular web sites. See:

• Typosquatters Target Anti-Virus Vendors by Ryan Naraine in eWeek, September 19, 2005. Some examples: "www.f-secure.com" is a legitimate web site -- "www-f-secure.com" and "wwwf-secure.com" and "www.f-secue.com" are bad guys. 
• The Typo Millionaires by Paul Boutin in Slate, February 11, 2005.
   

URL Tricks TOP

1. Any link to an IP address rather than a name is suspect. For example don't trust a link such as http://218.36.71.193
   as opposed to http://www.citibank.com. Below are some real-life examples from phishing emails:
   
     http://213.136.120.240/.paypal/login.html 
     http://217.68.23.17/~securedphpscript.net/securedssl/ . . .
     http://211.174.185.29/pages/paypal/login.html
     http://193.201.52.175/user_id_verification~login.php/paypal/login.htm
     http://218.8.251.199/www.chase.com/software-upgrade/cmserver-users-default-confirm/index.htm
    
2. In the examples above, all the numbers are decimal. A variation on that theme specifies the numbers in octal (base 8). When Internet-connected computers use octal as opposed to decimal numbers, they signal this fact by starting the number with a zero. Thus
     http://0105.0131.031.0307     in octal is really
     http://69.89.25.199     in decimal.
    
3. The text displayed for the link does not have to be the real destination. For example, this link www.microsoft.com really takes you to my home page. There is no rule that the displayed text has to be the real destination. Sometimes, hovering the mouse over a link in both an email program and a web browser will display the destination of the link in the status bar at the bottom of the screen.
    
4. I said "sometimes" above because you should never trust what is displayed in the status bar. Both web pages and email messages can use JavaScript and Dynamic HTML to make the status bar show anything they want. For example, this link www.microsoft.com that seems to be to Microsoft, really takes you to my home page, but when you hover the mouse over it the status bar, Internet Explorer will incorrectly show the link destination to be Microsoft. 
   Note: This trick does not work in Firefox where the status bar displays nothing when the mouse hovers over the link (tested with versions 1.0 through 1.5.0.5). 
   
   Here is a real example of this from a phishing email message: 
       <a href="http://www.uas-va.org/.suntrust/" 
       onMouseOver="window.status='https://internetbanking.suntrust.com';return true;" 
       onMouseOut="window.status=' '; return true;">https://internetbanking.suntrust.com</a>
    
   This link actually takes you to www.uas-va.org but appears to take you to internetbanking.suntrust.com. I can't be sure, but it appears that uas-va.org was also a victim in this case, their web site having been hacked and used in this phishing scheme without their knowledge.
    
5. Normally we look at the domain name just after the "http://" to see where a link goes. There are two cases, however, where the actual destination of a link does not come immediately after the two slashes. One case involves signing on to secure web sites and providing a userid and password in the link so that they don't have to be entered manually. The other involves re-direction (see point 5 below). 
   
   As shown in the two URLs below, the userid and password for a secure web site or page can come immediately after the two slashes. First is the userid, then a colon, then the password, then an "at" sign, and finally the real web site address. 
   
   In the link below, "microsoft.com" is the userid, "windows" is the password and it really takes you to the web site at IP address 119.77.66.88 (the trick from point 1 above). No doubt many people would look at this and think they were going to Microsoft's web site. 
    
      http://microsoft.com:windows@119.77.66.88/fileabc.html
   
    The link below omits the password. It looks like a link to Citibank, but really takes you to www.scammerwebsite.com

    http://www.citibank.com@www.scammerwebsite.com

   What do the bad guys do with the userid and password that are embedded in links like this? Very likely they ignore them. If the web page or web site is not secure, then passwords are irrelevant. They exist just to fool you.

   A real life example: http://billing%2Eearthlink%2Enet%01%00@artcraft.or.kr/board_old/icon/Type08/

6. The other instance where the real web site address is not after the two slashes involves re-direct services. Yahoo, Google, Citibank and, no doubt other legitimate web sites, have re-direction services that were originally intended for their own private use. I won't go into why they built these services or how they work. The crucial point, in terms of lying about the destination of link, is that when using these re-direction services, the real web page address is at the end of the link, not at the beginning. Below is an example: 
   
     http://rd.yahoo.com/b5y7ix88/*http://www.scammerwebsite.com/
   
   Yahoo's re-direct service seems to be invoked when using "rd.yahoo.com" and opposed to "www.yahoo.com" (I have no first-hand direct knowledge of how it works). The real end point is after the asterisk. Basically, the bad guys are piggybacking on Yahoo's good name - the link appears to go to Yahoo, a trusted web site, but really goes somewhere else. Later examples below show links that appear to go to Google and Citibank but really do not.
   
   Update. November 13, 2006. eBay also has a re-director feature that is used by scammers. It was written up in this article in the Register See eBay provides backdoor for phishers Scripting backdoor helps craft more convincing cons by John Leyden February 28, 2005. Amazingly, 1.5 years after this problem was reported to eBay, they have done nothing about it.  See eBay redirection ruse reloaded 18 month-old security flaw still remains unfixed by John Leyden in The Register November 13, 2006. Here is an example from this article 
   
   http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?
   RedirectEnter&partner=25047&loc=%68%74%74%70:%2f%2f%77%77%77.%67%6f%6f%67%6c%65.%63om%2f
   
   The above is one long URL, broken into two lines for readability. The URL takes you to Google, but it can be easily modified to send you to any web page. 
    
7. The example below is from an actual phishing message (it is broken up into multiple lines for ease of viewing). It uses the Yahoo re-direct service (apparently a European edition) and the link is purposely long that the end of it can't be displayed in the status bar. From my testing,it seems that the data between "rd.yahoo.com" or "eur.rd.yahoo.com" and the true destination can be anything at all. The service seems to key off just the asterisk, all the rest is fluff. This link really goes to "phamrnes.com".
   
     http://eur.rd.yahoo.com/puc\implore\steed\referendum\gossamer\cepheus\compatible\
     missy\oathe\import\teahouse\parkish\stupefaction\continual\sectoral\tore\daugherty\
     oscar\otis\vigilante\amplify\hitchcock\apportion\bowie\downs\dam\polopony\chestnut\
     question\can't\stumpy\abalone\regional\defensible\cheeky\indefensible\placebo\
     clothesmen\bookstore\colorimeter\distortion\casebook\suffrage\cardiac\dish\
     minicomputer\bourgeois\ellwood\colby\montgomery\suppress\atlanta\refract\
     adventurous\colleague\clot\inattention\pierre\hyperbolic\orographic\
     *hTtP:\\2W04v375z81i.phamrnes.com/gp/iNdeX.ASP?id=BW
    

8. Still another tactic that makes a link appear to go to Yahoo is shown here:

      http://yahoo.com-yahoo.com.ph/click.php?id=lxenyee

   This URL really takes you to a web site in the Philippines called "com". That is, the real link is to com.ph where the ph represents the country. Everything to left of "com.ph" is there to trick you into thinking you will be going to Yahoo and therefore trusting the link and clicking on it. 
    

9. Another way to hide a web site address is to code it using the numeric codes for ASCII characters (don't ask). For example:
   
   http://%32%31%31%2E%32%38%2E%31%35%35%2E%32%31%30
       which translates to http://211.28.155.210
       and
   http://%32%34%2e%37%36%2e%38%39%2e%36%34:38/%63%69%74/%69%6E%64%65%78%2E%68%74%6D
       which translates to http://24.76.89.64:38/cit/index.htm
   
   These are real life examples. Avoid any web site that hides its true location this way.
   
   Karen Kenworthy has written a free program that converts this sort of thing back into English. See Karen's URL Discombobulator. In the October 9, 2003 edition of her newsletter, she created the example below which combines the ASCII characters trick with the userid/password trick discussed above in item 4.
   
   http://www.microsoft.com%40%49%77%61%6E%74%54%6F%53%74%65%61%6C%59%6F%75%72%4D%6F%6E%65%79%2E%63%6F%6D
   
   To the un-initiated, this looks like a link to microsoft.com but it really goes to the fictional web site IwantToStealYourMoney.com
    

10. This following URL also combines two tricks to hide its true destination. It is another re-direct using a service from Citibank. 

      http://www.citibankonline.com/domain/redirect/
      cbna/global_nav/myciti.htm?BVP=/&M=S&US&_u=visitor&
      BVE=HT%54p%3a%2f%2fkdsass40e.com*20022%2E%64a%2eR%75

    In the actual phishing email, this was one long URL, it is displayed on multiple lines here for readability. The domain citibankonline.com really is Citibank. However, as with the Yahoo redirect service, this URL starts out at Citibank, but does not end there. Again, the real address is at the end.
    
    Not content with one level of indirection, these bad guys also disguised the address by specifying some of the characters (not all) using their numeric Ascii equivalent. In the URL above, what comes after BVE on the last line is really:

        http://kdsass40e.com*20022.da.ru 

    This is really taking you to the web site da.ru in Russia.
     

11. A phishing scam web site may try to hide itself by using a non-standard port. Any computer that provides a web site is supposed to listen to requests such as "show me web page named abc.html" on port number 80. On a server computer this works all the time. However, home computers running a web server program may find that the ISP blocks all access to port 80. ISPs do this to prevent their personal customers from running a business web site out of their house. To get around the ISP blocking, a phishing web site might be set up to listen to requests on a port number other than 80 - a common alternatives are 81 and 8080. This real life URL is an example of this
    
    http://70.179.190.108:8080/login.personal.wamu.com/
    
    The computer is at IP address 70.179.190.108, another way of hiding that was already discussed. The colon means that a port number follows. The 8080 is the port number that the web server program is listening on. 
     

12. The last example involves a Google re-direction feature.  
    
      http://www.google.com/url?q=http://www.google.com/url?q=http://%6a%66%6b315%67%66%67%252e
      %44%61%252e%72%75%252f?%744%72%6e%592%59%67%54%54%4f%4f%617%502%4e3%48%77

    At first glance it appears to go to Google. However, the real destination of the link is the stuff at the end that looks like garbage. It is not garbage. Karen's URL Discombobulator translates the ASCII coding at the end to: 
    
     http://jfk315gfg.Da.ru/?t4rnY2YgTTOOa7P2N3Hw

    The same web site as in example 8. 

    Here is another real-life example that exploits the same Google re-direction feature but is much more complicated:

    http://www.google.com/url?q=http://www.google.com/url?q=http://www.google.com/url?q=%%%3348%%374%%3
    54P://obusek93vf%%32E%%%3364a.%%372u%%32f%%3%33F1ct0r651dy75r0o1sgRWR13Eqpq5fs
    
    This one was so convoluted, it fooled an old version of the URL Discombobulator program. However, in March 2004 Karen Kenworthy released a new version (1.8.2) of her URL Discombobulator that can deal with this particular hiding scheme. In the March 3, 2005 edition of her newsletter, Karen discusses this in detail. It's a doozy. 
    

Browser BugsTOP

Another reason that clicking on a link in an email message may not take you to the expected web site is a bug in your web browser. Often an email program will invoke a web browser under the covers to display an HTML formatted email message, thus making it susceptible to bugs in the browser. For example, Outlook and Outlook Express depend on, and use, Internet Explorer. Other bugs result in the Address bar of a web browser displaying the wrong address for the web page you are viewing.

Some of the bugs in web browsers are:

• New IE exploit by Alex Eckelberry of Sunbelt Software. April 6, 2006. Quoting: "There is a new exploit which allows hackers to obfuscate the real URL being shown, useful for phishing attacks. This is a practice called address bar spoofing, and enables the hacker to make an address bar show a different URL than what is actually loading. This particular exploit creates a race condition between a Macromedia Flash file and web content being loaded."
   
• Internet Explorer Image Control Status Bar Spoofing Weakness from Secunia. November 16, 2005. This IE bug can be exploited to trick you into visiting a malicious website by obfuscating URLs displayed in the status bar. The browser fails to show the correct URL in the status bar if an image control has been enclosed in a hyperlink and uses a form to specify the destination URL.  
   
• Microsoft Confirms IE Phishing Flaw eWeek magazine. February 23, 2005. Microsoft confirmed the existence of a bug in Internet Explorer that opens the door to URL spoofing attacks. The flaw can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement and has been confirmed on a fully patched system with IE6 and Windows XP Service Pack 2. Microsoft Internet Explorer Popup Title Bar Spoofing Weakness by Secunia. 
   
• Browser URL Spoofing Vulnerability by Patrick Douglas Crispen. February 16, 2005. Firefox v1.0 has a bug that allows the displayed URL to be spoofed. The article links to a test page and has details on fixing Firefox. This was, I believe, fixed in Firefox version 1.0.1. 
   
• Internet Explorer Handling of %20 Allows Spoofing  from SecuriTeam. January 17, 2005 
   
• Security researchers have uncovered a spoofing flaw in Internet Explorer, even on a fully patched Windows XP system with IE 6.0 and Service Pack 2. The bug could allow a scammer to display a fake Web site with all the attributes of a genuine, secure site, including the URL and the icon indicating SSL security. New IE Exploit Spoofs Web Sites in eWeek December 17, 2004. Secunia has an online test you can use to see if your copy of IE is susceptible to this bug. Firefox users are safe. 
    
• Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing by Secunia. Released October 29, 2004. A bug in Internet Explorer 6 can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs. This also effects Outlook Express 6. 
   
• The Internet Explorer Address Bar Spoofing Test by Secunia shows how IE can be exploited to display the wrong URL in the address bar. As of September 30, 2004, there is no fix for this from Microsoft. Firefox 1.0PR does not have this problem. 
   
• A bug in Internet Explorer that was discovered in December 2003 allowed scammers to hide the real location of a web page by including the characters %01 before the @ symbol in a URL.
   
• In June 11, 2004 PC World magazine had a story about new bugs in Internet Explorer that allow scammers to load malicious web pages while displaying the web address of legitimate sites in the address bar. I haven't followed up to see if this bugs was ever fixed. The bug involves prefacing the web site address with the characters ::/ which hides the real address of the Web page being loaded.

DNS Poisoning TOP

Normally, of course, if you enter www.cbs.com into your web browser, you expect to end up at the web site of the TV network behind 60 Minutes. With DNS poisoning however, you enter one web site address but end up instead at the web site of the bad guys.

All communication between computers on the Internet is done using a unique number assigned to every computer. The system that translates names such as cbs.com into these numbers (called IP addresses) is called DNS (Domain Name System). 

One type of DNS poisoning involves modifying a file on your computer. In the old days, the translation of names (www.cbs.com into numbers (such as 170.20.0.25) was done by a file on your computer called the hosts file. This file still exists and Windows still uses it (a mistake by Microsoft, in my opinion). Normally the file is empty, but malicious software can update it. If your hosts file was updated, there are times when you will not go to the web site you expect to. One way to fight this is to look at the hosts file every now and then. Another way is to modify the Windows registry to tell it to convert using the DNS system before trying to convert using the hosts file.

Another type of DNS poisoning involves modifying a computer used by either your Internet Service Provider (at home) or your company (at work). The computers in question are DNS Servers, machines dedicated to doing nothing but translating names (www.cbs.com) into numbers (170.20.0.25). I don't know that you can defend yourself from this as it involves no changes to your computer at all. This type of DNS poisoning can be done either by going after the DNS server software and trying exploiting a bug or with social engineering. 

Another related problem is domain stealing. Ownership of a domain is registered with a Registrar. Hundreds of companies function as Registrars for domain names on the Internet. Among them are register.com, godaddy.com and directnic.com. If a bad guy can transfer ownership of a domain from the rightful registrar to another one, then they can point the domain to any web site they please. In this case, the DNS system works as designed, the attack is to the input to the DNS system rather than the system itself. 

This is exactly what happened in January 2005 to New York City based ISP, Panix. Ownership of the panix.com domain was switched to a registrar in Australia by someone who apparently did not follow the normal rules for this sort of thing. Then the panix.com domain was pointed to a phony web site.

DNS poisoning has also been called "pharming" (as in the next generation of phishing) and domain spoofing. For more see:

• New Domain Poisoning Attacks Microsoft Servers April 6, 2005. From Systems Management Pipeline. About DNS cache poisoning that takes advantage of vulnerabilities and design flaws in Windows NT Server 4.0 and Windows 2000 Server prior to SP3. 
• DNS Poisoning Summary March 2005 from Sans.org. Techie details. 
• Pharming Out-Scams Phishing By Michelle Delio in Wired. March 14, 2005.
• Alarm over pharming attacks: identity theft made even easier CNET Reviews February 18, 2005
• The Personal Computer Show on WBAI in New York City had an interview with Alexis Rosen, the President of Panix, about their domain re-direction problems on January 19, 2005. Listen to the show from the archived audio.