Crimeware
by Markus Jakobsson
Security

Can you tell a good URL from a bad one?

8 comments | 40I like it!
Tags: crimeware, deceit, phishing, social engineering, trends, URL
More »
Recent Posts
July 29, 2008, 12:58 PM — 

Look at these three URLs: www.accountonline.com, www.democratic-party.us, www.wachovia.pin-update.com.

Can you tell which (if any) correspond to legitimate service providers? Do you think the average Internet user can tell, too?

In fact, most people have no idea how to tell a good URL from a bad one. A recent Indiana University study I co-authored with Jacob Ratkiewicz (download PDF) showed that Internet users are not the least suspicious of so-called cousin-name domains. A cousin-name domain is a URL like www.democratic-party.us that is "semantically correct" - in this case it makes it look like it should belong to the Democratic Party. The study also showed that most people do not identify sub-domain attacks in which the subdomain is used to semantically defraud -- like www.wachovia.pin-update.com has nothing to do with Wachovia.

Part of the problem is that people are people, not string matching machines. We are just not very good at remembering things verbatim, but we are pretty good at making sense of cues - which is what gets us into trouble. But that's not all. The problem is made worse by companies that register and use domains that have nothing in particular to do with their brand. Like www.accountonline.com, which belongs to CitiBank and is used to access credit card accounts. Why not use the regular citibank.com domain? Or at least citicards.com? Now, CitiBank is not the only financial institution that uses weird domains ... unfortunately, this is the rule rather than the exception.

What should we conclude from this? First of all, phishers and crimeware authors will make increasing use of deceptive domain names. This means that blacklisting will become less and less meaningful and that we will have to rely on whitelisting, heuristics, and our own ability to be careful. Not a happy thought.

What do we need to do? First of all, we need to educate our users (see www.SecurityCartoon.com and http://cups.cs.cmu.edu/antiphishing_phil/ for two lighthearted approaches). Second, service provides need to think about what domains they use and how any inconsistencies may come back to haunt them. And third, we need to develop tools that recognize what people can and cannot do.

I like it!
Comments
8 comments Add a comment

I have seen a few fraudulent

I have seen a few fraudulent spammers and other would be thieves use such domain names to try and fool web site visitors and have learned to be wary of such sites. I try to look over the domain name of the site that I am visiting very carefully. If the root domain (the far right domain) does not match the institution that I think I should be visiting than I am skeptical as to the validity of the site I have landed on as to whether it is legitimate. Also I am generally cautious to check the security certificate of encrypted sites that I am visiting to ensure that it comes from a known source and is for the organization, whose web site I intend to be visiting.


The University that I have attended for the past few years used such a domain for bill pay emails that they sent out, which prompted me to call their finance department to verify that the email was legitimate. Speaking of Educational institutions I scrutinize all emails claiming to be originating from the University and if the domain name does not end in .edu I am suspicious. In reality the university in question appears to have sent a few emails out that ended in .com that were legitimate.


As for the article written by Markus Jakobsson I would hazard to guess that none of the URL's mentioned in the article are legitimate.


James D.
by James (not verified) on 7/29/08 at 7:52 pm | reply

Educating ourselves and

Educating ourselves and using the right online tools are key to preventing phishing attacks.
I work for Passpack
which is an online password manager and we are always trying to stress the importance of security on web.

Passpack lets you store the root of all sensitive information - you passwords.

It is the only online password manager with anti-phishing and with its auto-login feature you will only be logged into sites that are in your Passpack account - ensuring that the URL address is legit.

I wrote a post back in April on the Anti-Phishing Phil game. It's a great way to get people more aware of the seriousness of online security.

Louise
by Louise (not verified) on 7/30/08 at 8:21 am | reply

James, From what you are

James,

From what you are writing, you are more knowledgeable than the average user. Most people do not know how to evaluate a URL (for a 30-second tutorial, see http://www.securitycartoon.com/index.php?comic=20070621)


But as for the URLs I listed ... one of them is legitimate. The accountonline.com. The other two could have belonged to phishers. They actually do not, they belong to me. I registered them to demonstrate how a phisher could have taken them.

Cheers,
Markus
by Markus Jakobsson on 7/30/08 at 9:10 am | reply
View all comments »
Free stuff

Win an Amazon Kindle!
This month's giveaway gadget - Amazon's Kindle - will keep you entertained on the long trip home to visit family and friends over the holidays. Enter the drawing now!

Applied Security Visualization
By Raffael Marty
Published by Addison-Wesley Professional
Learn more!

 

IT Manager's Handbook
By Bill Holtsnider and Brian D. Jaffe
Published by Morgan Kaufmann
Learn more!

 

Windows Vista Resource Kit
By Mitch Tulloch, Tony Northrup, and Jerry Honeycutt
Published by Microsoft Press
Learn more!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
More Resources