Phishing refers to fraudulent email messages designed to trick you into providing personal information.
As part of the scam, the links in the email message do not take you where they appear to.
Instead you are taken to a web site that looks real but exists on a computer
controlled by the bad guys.
If you have any reason to suspect that an email message is phony, always go
directly to the sending company's web site on your own. That is, if you suspect
a message that appears to be from Citibank (for example) is a scam, then verify
it by typing "www.citibank.com" into your web browser. Never, ever
click on the link in the email message. The rest of this page explains the ways
that links are toyed with to fool you as to their real destination.
There are four independent avenues of trickery:
- Using a domain name that appears to belong the company being scammed
- Playing technical tricks with the link (URL)
- Exploiting known bugs in Internet Explorer and other software
- And perhaps the worst of all, DNS poisoning
All are explained below.
Domain Name Tricks
It can be hard to know if a domain really belongs to the organization it appears to.
For example, the
television network that airs 60 Minutes owns "cbs.com". But there is
no guarantee that "cbsnews.com" belongs to them too (it does) or
"cbs-news.com" (it does not) or "cbstoday.com" (it does not)
or "cbsnewsupdate.com" (does not yet exist). Then too, everything
is not a "dot com". For example, "cbsnews.org" is not
associated with the television network, even though "cbsnews.com"is.
Below are some real life scams that embed a real domain name inside a
- The domains "eBay-secure.com" and "authebay.net" and
"ebayserver.net" are not associated with eBay. The latter is
registered to someone in China with a gmail address.
"authebay.net" was eventually abandoned, after it had served its scam purpose.
- "baltimoreorioles.com" is not the web site of the baseball team
in Baltimore. The person/company that owns this domain has chosen to hide
their identity. The baseball team is "orioles.com".
- The domains "cgi-paypal.us" and "paypal-cgi.us" are not associated with Paypal.
Neither is "help-paypalservice.tk" which is registered in the country of Tokelau
that, conveniently, does not report the actual owner of domains.
- The domains "www.securecitibank.us" and
"www.citi-accountonline.com" and "citisupportteam.biz" are not associated with Citibank
- The domain "earthlink-renew.net" is not associated with
EarthLink, the ISP. It is owned instead by Peter Buchwald of Weston, AL
- The domain "nortonantivirus.com" is not associated with Symantec
or the Norton Anti-Virus program. It is owned by someone who does not
provide their name and has an email address in Russia. The domain was
registered by joker.com which is often used by bad guys. As of January 2006,
it gets forwarded to antivirusdirectory.com which is also not associated
with any anti-virus software vendor but is instead owned by Bardenko Roman
of Firenze Italy.
- Nothing is more popular than You Tube. URLs that look like it have an
extra "L" as in "youltube". There is, at least, a .info
and .com youLtube.
- On November 8, 2005 eBay tried to get rid of the scam web site "ebaychristmas.net".
On November 25th, they were still trying when someone reported the phishing
web site to eBay. Four days later, eBay responded to that the email message
was legitimate. It was not, and this got reported in the press. eBay must be
such a large organization that the left hand does not know what the right
hand is doing. And, at least one hand, needs some more technical training.
See eBay Fooled by Fast-moving Phishing Scam
- The domain bankfirsttennessee.com is not associated with First Tennessee
Bank whose actual domain name is firsttennessee.com. The owner of the phony
domain is Nathan Eltz at firstname.lastname@example.org.
Note: I would be very hesitant in using online banking if you are a First Tennessee Bank
customer. For one thing, I tried to report this fraud on November 7, 2005
and there was no relevant contact
listed on their web site to report these
scams. The FAQ on their web site has this question: Is Banking Online secure?
The bank answer is:
"Absolutely. Each time you log in to Banking Online, one secure connection is opened to the bank. This connection is protected using Secure Sockets Layer (SSL) 3.0, a security protocol that prevents eavesdropping, tampering, and message forgery
over the Internet. Additional protection is provided using firewall technology. Firewalls monitor all data traffic to and from First Tennessee, ensuring that only known users are able to gain access."
This wrong, for many reasons.
- The domain "citizens-friends.com" is not associated with Citizens Bank
(which is citizensbank.com). It is owned by Tara Hall of Tampa, Florida.
- The domain "yahoo-billing.com" was not associated with Yahoo.
However, after it was used by scammers, Yahoo acquired the name and now
insures that it goes nowhere. Note that "yahoo-inc.com" appears to
actually belong to Yahoo.
- The domain "chase.onlinecustomer.info" is not associated with Chase bank.
- The domain www-signin-ebay-com-ws-ebay-isapi-dll-signin.122.pl is not where you sign in to an eBay account.
It is really 122.pl.
There are many valid domain suffixes (like the ".info" above) and
even large organizations, that should know better, fail to reserve all the
possible suffixes leaving an opening for scammers. For example, the web site of
the Wall Street Journal is wsj.com. But do the "wsj" domains with
other suffixes also belong to the newspaper (or really to Dow Jones which owns the paper)?
| Domain ||Legit?|
Thus, if a scammer sends you to wsj.info, for example, any data you enter into that
web site goes to a man named Roman Mochejski in Poland.
Some of the examples above illustrate that dashes are part of a domain name, just like letters and numbers.
In determining who really owns a domain name, the rightmost two parts of
the name are all that matters, and the only thing that determines the rightmost two parts are periods. Thus a web site name such as
and has nothing to do with eBay.
Should you see
(I made this up) that would be a real address belonging to Citibank. Likewise
(I made this up too) would belong to CBS. If you purchase something from
Dell's web site, the purchase is done at a URL that starts with
"ecomm.dell.com" which belongs to Dell (real
A phishing email once used
to fool people into thinking they were dealing with Paypal.
The actual domain in this case is
which belonged to Andrew
Fischba in Fraser, CO (email@example.com). Holly Robb of Utah
(firstname.lastname@example.org) thought this was a great idea and used "
in a phishing email message a couple days later. I've also seen "paypal.signin04.com" used.
A longer example from an eBay phishing email is
"verfyer-acunte-ebay-com.keymachine.de" which does not belong to an
eBay verifying system but instead belongs Keyweb AG in Germany.
Again, the critical parts of the names above are "scammer.com"
and "citibank.com" and "cbs.com
" and "dell.com" and "login-user2719.info". Anything to the left of
this is irrelevant in determining the organization that owns the name.
Another tact used by the bad guys is to substitute the letter "L" , the letter
"I" or the number One to fool you about the true name of a domain. For
example, instead of
citibank.com (spelled correctly), they might use
cltlbank.com (lower case "L") or
c1t1bank.com (number one) or
ClTlBANK.COM (lower case "L" very well hidden).
Likewise, Payal might end with the number one (
paypa1.com) or an upper case "i"(
And, two Vs look a lot like a W. See More fake "double-V" domains
popping up... from Sunbelt Software.
Yet another trick is to use a domain that looks real and make a web site that
looks real, but nonetheless is fake. Take, for example, someone interested in
transportation in the state of New Jersey. The real web site is
www.njtransit.com.. However, there is a web site called
that appears, at first glance, to be real, but it is not. Likewise the web site
looks like it might be Delta Airlines, but it is not. Delta's domain is
now, in the early days of the Internet it was
And, of course, if you type a URL manually
rather than using a Favorite/Bookmark, you can make a spelling mistake. People
reserve common mis-spellings of popular web sites. See:
URL Tricks TOP
- Any link to an IP address rather than a name is suspect. For example don't
trust a link such as http://126.96.36.199
as opposed to http://www.citibank.com.
Below are some real-life examples from phishing emails:
http://188.8.131.52/~securedphpscript.net/securedssl/ . . .
- In the examples above, all the numbers are decimal. A variation on that theme specifies the numbers in octal (base 8).
When Internet-connected computers use octal as opposed to decimal numbers, they signal this fact by starting the
number with a zero. Thus
http://0105.0131.031.0307 in octal is really
http://184.108.40.206 in decimal.
- The text displayed for the link does not have to be the real destination.
For example, this link www.microsoft.com
really takes you to my home page. There is no rule that the displayed text has
to be the real destination. Sometimes, hovering the mouse over a link
in both an email program and a web browser will display the destination of the
link in the status bar at the bottom of the screen.
- I said "sometimes" above
because you should never trust what is displayed in the status bar. Both web
HTML to make the status bar show anything they want. For example, this link
that seems to be to Microsoft, really takes you to my home page, but when you hover the mouse over it the
status bar, Internet Explorer will incorrectly show the link destination to be
Note: This trick does not work in Firefox where the status bar
displays nothing when the mouse hovers over the link (tested with versions 1.0
Here is a real example of this from a phishing email message:
onMouseOut="window.status=' '; return
This link actually takes you to
www.uas-va.org but appears to take you to internetbanking.suntrust.com. I can't
be sure, but it appears that uas-va.org was also a victim in this case, their
web site having been hacked and used in this phishing scheme without their knowledge.
- Normally we look at the domain name just after the
"http://" to see where a link goes. There are two cases, however,
where the actual destination of a link does not come immediately after the two
slashes. One case involves signing on to secure web sites and providing a
userid and password in the link so that they don't have to be entered
manually. The other involves re-direction (see point 5 below).
As shown in the two URLs below, the userid and password for a secure web site
or page can come immediately after the two slashes. First is the userid, then a
colon, then the password, then an "at" sign, and finally the real
web site address.
In the link below, "microsoft.com" is the userid,
"windows" is the password and it really takes you to the web site at
IP address 220.127.116.11 (the trick from point 1 above). No doubt many people
would look at this and think they were going to Microsoft's web site.
The link below omits the password. It looks like a link to Citibank, but
really takes you to www.scammerwebsite.com
What do the bad guys do with the userid and password that are embedded in
links like this? Very likely they ignore them. If the web page or web site is
not secure, then passwords are irrelevant. They exist just to fool you.
A real life example:
- The other instance where the real web site address is not after the two
slashes involves re-direct services. Yahoo, Google, Citibank and, no doubt
other legitimate web sites, have re-direction services that were originally
intended for their own private use. I won't go into why they built these
services or how they work. The crucial point, in terms of lying about the
destination of link, is that when using these re-direction services, the real
web page address is at the end of the link, not at the beginning. Below is an
Yahoo's re-direct service seems to be invoked when using "rd.yahoo.com"
and opposed to "www.yahoo.com" (I have no first-hand direct
knowledge of how it works). The real end point is after the asterisk.
Basically, the bad guys are piggybacking on Yahoo's good name - the link appears to go to
Yahoo, a trusted web site, but really
goes somewhere else. Later examples below show links that appear to go to Google
and Citibank but really do not.
Update. November 13, 2006. eBay also has a re-director feature that is used by
scammers. It was written up in this article in the Register See
eBay provides backdoor for phishers Scripting backdoor helps craft more convincing cons
by John Leyden February 28, 2005. Amazingly, 1.5 years after this problem was
reported to eBay, they have done nothing about it. See eBay redirection ruse reloaded
18 month-old security flaw still remains unfixed by John Leyden in The
Register November 13, 2006. Here is an example from this article
The above is one long URL, broken into two lines for readability. The URL
takes you to Google, but it can be easily modified to send you to any web
- The example below is from an actual phishing message (it is broken up into multiple lines for ease of
viewing). It uses the Yahoo re-direct service (apparently a European edition)
and the link is purposely long that the end of it can't be displayed in the
status bar. From my testing,it seems that the data between "rd.yahoo.com" or
"eur.rd.yahoo.com" and the true destination can be anything at all. The service seems to key
off just the asterisk, all the rest is fluff. This link really goes to
Still another tactic that makes a link appear to go to Yahoo is shown here:
This URL really takes you to a web site in the
Philippines called "com". That is, the real link is to com.ph where
the ph represents the country. Everything to left of "com.ph" is there
to trick you into thinking you will be going to Yahoo and therefore trusting the
link and clicking on it.
- Another way to hide a web site address is to code it using the numeric codes for ASCII characters (don't ask).
which translates to
which translates to
These are real life examples. Avoid any web site that hides its true location this way.
Karen Kenworthy has written a free program that converts this sort of thing back into English.
See Karen's URL Discombobulator.
In the October
9, 2003 edition of her newsletter, she created the example below which
combines the ASCII characters trick with the userid/password trick discussed
above in item 4.
To the un-initiated, this looks like a link to microsoft.com but it really goes
to the fictional web site IwantToStealYourMoney.com
This following URL also combines two tricks to hide its true destination. It is another re-direct
using a service from Citibank.
In the actual phishing email, this was one long URL, it is displayed on
multiple lines here for readability. The domain citibankonline.com really is
Citibank. However, as with the Yahoo redirect service, this URL starts out at Citibank,
but does not end there. Again, the real address is at the end.
Not content with one level of indirection, these bad guys also disguised the address
by specifying some of the characters (not all) using their numeric
Ascii equivalent. In the URL above, what comes after BVE on the last line is really:
This is really taking you to the web site da.ru in Russia.
A phishing scam web site may try to hide itself by using a non-standard
port. Any computer that provides a web site is supposed to listen to requests
such as "show me web page named abc.html" on port number 80. On a
server computer this works all the time. However, home computers running a web
server program may find that the ISP blocks all access to port 80. ISPs do
this to prevent their personal customers from running a business web site out
of their house. To get around the ISP blocking, a phishing web site might be
set up to listen to requests on a port number other than 80 - a common
alternatives are 81 and 8080. This real life URL is an example of this
The computer is at IP address 18.104.22.168, another way of hiding that was
already discussed. The colon means that a port number follows. The 8080 is the
port number that the web server program is listening on.
- The last example involves a Google re-direction feature.
At first glance it appears to go to
Google. However, the real destination of the link is
the stuff at the end that looks like garbage. It is not garbage. Karen's URL Discombobulator
translates the ASCII coding at the end to:
The same web site as in example 8.
Here is another real-life example
that exploits the same Google re-direction feature but is much more complicated:
This one was so convoluted, it fooled an old version of the
URL Discombobulator program. However, in March 2004 Karen Kenworthy released a
new version (1.8.2) of her URL
Discombobulator that can deal with this particular hiding scheme. In the March
3, 2005 edition of her newsletter, Karen discusses this in detail. It's a
Another reason that clicking on a link in an email message
may not take you to the expected web site is a bug in your web browser. Often an email program will
invoke a web browser under the covers to display an HTML formatted email message, thus
making it susceptible to bugs in the browser. For example, Outlook
and Outlook Express depend on, and use, Internet Explorer. Other bugs
result in the Address bar of a web browser displaying the wrong address for
the web page you are viewing.
Some of the bugs in web browsers are:
- New IE exploit
by Alex Eckelberry of Sunbelt Software. April 6, 2006. Quoting: "There is a new exploit which allows hackers to obfuscate the real URL being shown, useful for phishing attacks. This is a practice called address bar spoofing, and enables the hacker to make an address bar show a different URL than what is actually loading. This particular exploit creates a race condition between a Macromedia Flash file and web content being loaded."
- Internet Explorer Image Control Status Bar Spoofing Weakness
from Secunia. November 16, 2005. This IE bug can be exploited to trick you
into visiting a malicious website by obfuscating URLs displayed in the status bar.
The browser fails to show the correct URL in the status bar if an image control has been enclosed in a hyperlink and uses a form to specify the destination URL.
- Microsoft Confirms IE Phishing Flaw
eWeek magazine. February 23, 2005. Microsoft confirmed the existence of a bug in
Internet Explorer that opens the door to URL spoofing attacks. The flaw can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement and has been confirmed on a fully patched system with
IE6 and Windows XP Service Pack 2. Microsoft Internet Explorer Popup Title Bar Spoofing Weakness
- Browser URL Spoofing Vulnerability
by Patrick Douglas Crispen. February 16, 2005. Firefox v1.0 has a bug that
allows the displayed URL to be spoofed. The article links to a test page
and has details on fixing Firefox. This was, I believe, fixed in
Firefox version 1.0.1.
- Internet Explorer Handling of %20 Allows Spoofing
from SecuriTeam. January 17, 2005
- Security researchers have uncovered a spoofing flaw in Internet
Explorer, even on a fully patched Windows XP system with IE 6.0 and
Service Pack 2. The bug could allow a scammer to display a fake Web site
with all the attributes of a genuine, secure site, including the URL and
the icon indicating SSL security. New
IE Exploit Spoofs Web Sites in eWeek December 17, 2004. Secunia
online test you can use to see if your copy of IE is susceptible to
this bug. Firefox users are safe.
- Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing
by Secunia. Released October 29, 2004. A bug in Internet Explorer 6 can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs.
This also effects Outlook Express 6.
- The Internet Explorer Address Bar Spoofing Test
by Secunia shows how IE can be exploited to display the wrong URL in the
address bar. As of September 30, 2004, there is no fix for this from
Microsoft. Firefox 1.0PR does not have this problem.
- A bug in Internet Explorer that was
discovered in December 2003 allowed scammers to hide the real location of a
web page by including the characters %01 before the @ symbol in a URL.
- In June 11, 2004 PC World magazine had a
story about new
bugs in Internet Explorer that allow scammers to load malicious web pages while displaying the
web address of legitimate sites in the address bar. I haven't followed up to
see if this bugs was ever fixed. The bug involves prefacing the web
site address with the characters ::/ which hides the real address of the Web page being loaded.
DNS Poisoning TOP
Normally, of course, if you enter www.cbs.com
into your web browser, you expect to end up at the web site of the TV network
behind 60 Minutes. With DNS poisoning however, you enter one web site address
but end up instead at the web site of the bad guys.
All communication between computers on the Internet is done using a unique
number assigned to every computer. The system that translates names such as
into these numbers (called IP addresses) is called DNS (Domain Name System).
One type of DNS poisoning involves modifying a file on your computer. In the old
days, the translation of names (www.cbs.com into
numbers (such as 22.214.171.124) was done by a file on your computer called the
hosts file. This file still exists and Windows still uses it (a mistake by
Microsoft, in my opinion). Normally the file is empty, but malicious software
can update it. If your hosts file was updated, there are times when you will not
go to the web site you expect to. One way to fight this is to look at the hosts
file every now and then. Another way is to modify the Windows registry to tell
it to convert using the DNS system before trying to convert using the hosts file.
Another type of DNS poisoning involves modifying a computer used by either your
Internet Service Provider (at home) or your company (at work). The computers in
question are DNS Servers, machines dedicated to doing nothing but translating
into numbers (126.96.36.199). I don't know that you can defend yourself from this
as it involves no changes to your computer at all. This type of DNS poisoning can be
done either by going after the DNS server software and trying exploiting a bug
or with social engineering.
Another related problem is domain stealing. Ownership of a domain is
registered with a Registrar. Hundreds of companies function as Registrars for
domain names on the Internet. Among them are register.com, godaddy.com and
directnic.com. If a bad guy can transfer ownership of a domain from the rightful
registrar to another one, then they can point the domain to any web site they
please. In this case, the DNS system works as designed, the attack is to the
input to the DNS system rather than the system itself.
This is exactly what happened in January 2005 to New York City
based ISP, Panix. Ownership of the panix.com
domain was switched to a registrar in Australia by someone who apparently did
not follow the normal rules for this sort of thing. Then the panix.com
domain was pointed to a phony web site.
DNS poisoning has also been called "pharming" (as in the next
generation of phishing) and domain spoofing. For more see: