• Markus Jakobsson

  • by Markus Jakobsson
  • RSS

Recent blog posts

Can you tell a good URL from a bad one?

By Markus Jakobsson  8 comments

July 29, 2008, 1:58 PM Look at these three URLs: www.accountonline.com, www.democratic-party.us, www.wachovia.pin-update.com.

Can you tell which (if any) correspond to legitimate service providers? Do you think the average Internet user can tell, too?

In fact, most people have no idea how to tell a good URL from a bad one. A recent Indiana University study I co-authored with Jacob Ratkiewicz (download PDF) showed that Internet users are not the least suspicious of so-called cousin-name domains. A cousin-name domain is a URL like www.democratic-party.us that is "semantically correct" - in this case it makes it look like it should belong to the Democratic Party. The study also showed that most people do not identify sub-domain attacks in which the subdomain is used to semantically defraud -- like www.wachovia.pin-update.com has nothing to do with Wachovia.

Part of the problem is that people are people, not string matching machines. We are just not very good at remembering things verbatim, but we are pretty good at making sense of cues - which is what gets us into trouble. But that's not all. The problem is made worse by companies that register and use domains that have nothing in particular to do with their brand. Like www.accountonline.com, which belongs to CitiBank and is used to access credit card accounts. Why not use the regular citibank.com domain? Or at least citicards.com? Now, CitiBank is not the only financial institution that uses weird domains ... unfortunately, this is the rule rather than the exception.

What should we conclude from this? First of all, phishers and crimeware authors will make increasing use of deceptive domain names. This means that blacklisting will become less and less meaningful and that we will have to rely on whitelisting, heuristics, and our own ability to be careful. Not a happy thought.

What do we need to do? First of all, we need to educate our users (see www.SecurityCartoon.com and http://cups.cs.cmu.edu/antiphishing_phil/ for two lighthearted approaches). Second, service provides need to think about what domains they use and how any inconsistencies may come back to haunt them. And third, we need to develop tools that recognize what people can and cannot do.

8 comments

    Anonymous 3 years ago
    kx3koiwngr3inyjnvkrzq utju http://fyrtwllhrwct.com iryaczd hkmxc http://ffnkdc.com fcxljn reddda http://gzuesdnue.com pzslt tqeeivy http://csqnyfcvm.com
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    kx3koiwngr3inyjnkwvtj dhfo http://vvualfrtaqz.com crhnjal mhpyb http://mkedljscgxh.com jkinxrm iwxqy http://wnztotixoj.com valia hqcjsrxh http://sxxslt.com
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    kx3koiwngr3inyjngsffxd aqpsoiqz http://qlobmcyx.com oraqkld cyfn http://nrfwteultrd.com flswkjp mwzc http://zomzmkrmw.com owzzhd mtekys http://syaafmyeh.com
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    Educating ourselves and using the right online tools are key to preventing phishing attacks.I work for Passpackwhich is an online password manager and we are always trying to stress the importance of security on web.Passpack lets you store the root of all sensitive information - you passwords.It is the only online password manager with anti-phishing and with its auto-login feature you will only be logged into sites that are in your Passpack account - ensuring that the URL address is legit.I wrote a post back in April on the Anti-Phishing Phil game. It's a great way to get people more aware of the seriousness of online security.Louise
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    From a legal and regulatory perspective, it is the legal obligation of financial firms to safeguard their information assets from identity theft in the form of infringing domain names and related fake web sites, email spam and phishing sites. These are Unfair Acts against consumers per the FTC ACT. These also violate GLBA, COSO, FDICIA, Sarbanes-Oxley and safety and soundness regulations required for maintaining federal deposit insurance. These equate to a CAMELS Compliance Rating of 4 meaning serious regulatory deficiencies. Additional information on these information security governance risks and ratings are available through seminars and white papers at www.americanbanker.com and www.isgovernanceinsitute.org
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I have seen a few fraudulent spammers and other would be thieves use such domain names to try and fool web site visitors and have learned to be wary of such sites. I try to look over the domain name of the site that I am visiting very carefully. If the root domain (the far right domain) does not match the institution that I think I should be visiting than I am skeptical as to the validity of the site I have landed on as to whether it is legitimate. Also I am generally cautious to check the security certificate of encrypted sites that I am visiting to ensure that it comes from a known source and is for the organization, whose web site I intend to be visiting. The University that I have attended for the past few years used such a domain for bill pay emails that they sent out, which prompted me to call their finance department to verify that the email was legitimate. Speaking of Educational institutions I scrutinize all emails claiming to be originating from the University and if the domain name does not end in .edu I am suspicious. In reality the university in question appears to have sent a few emails out that ended in .com that were legitimate.As for the article written by Markus Jakobsson I would hazard to guess that none of the URL's mentioned in the article are legitimate.James D.
    Flag comment  |  Permalink Reply
    Markus Jakobsson
    Markus Jakobsson 3 years ago in reply to Anonymous
    James, From what you are writing, you are more knowledgeable than the average user. Most people do not know how to evaluate a URL (for a 30-second tutorial, see http://www.securitycartoon.com/index.php?comic=20070621)But as for the URLs I listed ... one of them is legitimate. The accountonline.com. The other two could have belonged to phishers. They actually do not, they belong to me. I registered them to demonstrate how a phisher could have taken them. Cheers,Markus
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How well does facial recognition work for device security?
      0 answers
      What type of enterprise user is going to use Ubuntu Business Desktop Remix?
      1 answer
      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      2 answers
      What can be done to control noise levels in data centers?
      1 answer
      What mobile apps are the worst offenders to user privacy?
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question