powered by Iowa Telecom

Wherever you go, there you are…

Posted by: Nuuruvalar [ITS Security] under Informative

August 3, 2009

…The real question is: Is there where you think it is?

The big security snafu in the news recently was the hijacking of several e-billing sites and redirecting them to other websites designed to extract banking information out of users.  Unfortunately this is a harder scam to spot than most others even if you understand how domain names work.

Below you will find a couple of ways hackers attempt to deceive a user

Embedded Links:

The simplest of these scams use an embedded link in an email to get you to go to their site by trying to look like the destination site.  For example, the email says to log on to PayPal’s site to update your info.  So you click on the link that says something like “http://www.paypal.com/cgi/update/run-it.cgi”, you then get taken to what you assume is PayPal’s site, but if you look at the URL you actually see “paypal.update.urlsareus.domains4sale.lt”  or some such.   Here’s where understanding a little about domains and the structure of the internet helps.

An example to help understand the structure of domains:

  • Even though there is an obvious ‘paypal’ in that url, the domain of the URL is ‘domains4sale.lt’  NOT a paypal domain.  When trying to verify URLs you are sent to, you want to break the domain into pieces based on the periods (.) in it.  In our above example, you would get ‘paypal’, ‘update’, ‘urlsareus’ , ‘domains4sale’, and ‘lt’.
  • Now to ‘read’ a URL we start at the rear, or right side, of the URL.  In this case we start with the ‘lt’.  This is the Top Level Domain, this is a 2,3 or 4 character word, as in: (.us), (.com), (.info) or in some cases grouped like (.co.uk).  In our example it is ‘.lt’ which is Lithuania and our first indicator that this may not be the site we think it is.
  • Next in line from the left is ‘domains4sale’, this is the main domain of the site you are viewing.  This is NOT a PayPal site.  PayPal currently exclusively uses ‘www.paypal.com’, if the domain in the url has any other variation of that, then it is not a PayPal site.
  • Anything to the left of the main domain is called a sub domain.  The most common sub domain is www, however in reality anything the owner wishes to use, such as: paypal, fredandwillma or frankscows, can all be used inplace of www, or in addition to it.
  • Next you have the protocol, this will always be at the begining of the URL and will generally look like (http://).  At it’s most basic level, this means you are viewing a webpage.  Another protocol is (ftp://) this means that you are about to use your web broswer to transfer files with a website.
  • PayPal, like most legitimate companies, also uses ‘https’ for any site that you enter info on.  The ’s’ stands for secure and is currently used for all secure website transactions such as payments and even personal information exchange.
  • To backtrack just a bit, any thing that falls the far right and after a (/) means that you are descending into a directory of the website.  Websites have the same type of directory tree that exists on your average home computer.

False URL links:

Unfortunately, the hijack that affected the E-Bill sites was not as easy to spot.  In that case, the hijackers actually gained access to the company’s DNS records (the records that show what IP a given URL points to) and changed them to the the IP of their fake websites.  In that case the URLs actually had the right domain info in them.

A couple of steps to help identify False URL Links

  • The tip off with these was that users were not taken to the pages they were used too.  The best way to protect yourself from a scam like this is to learn to recognize your companies’ sites.
  • Know what the company’s website looks like so that you can notice a difference and don’t use them if they appear to have changed from the last time you used them.
  • If you have not seen a notice of changes, but the website appears different then beware.  Most companies will notify their customers ahead of time if they are making any changes to their website.  So if you hit one of your banking or shopping sites and things are significantly changed, especially if you are required to log on differently than you are used to, stop and call the institution to ensure that the change is something they did.

Unfortunately in this day and age, a little caution can go a long way.  Like my great grandfather used to say “It ain’t paranoia if they are out to get you.”  And in the case of spammers and scammers, they are indeed ‘out to get us’.

Until my next post, safe surfing!

Nuuruvalar

Tip of the Day

Giving out personal information via e-mail is kind of like stapling your car payment (In Cash) to the outside of the envelope and then mailing it. Chances are better than slim it will be stolen.