Crimeware
by Markus Jakobsson
Security

Can you tell a good URL from a bad one?

9 comments | 42I like it!
Tags: crimeware, deceit, phishing, social engineering, trends, URL
More »
Recent Posts
July 29, 2008, 12:58 PM — 

Look at these three URLs: www.accountonline.com, www.democratic-party.us, www.wachovia.pin-update.com.

Can you tell which (if any) correspond to legitimate service providers? Do you think the average Internet user can tell, too?

In fact, most people have no idea how to tell a good URL from a bad one. A recent Indiana University study I co-authored with Jacob Ratkiewicz (download PDF) showed that Internet users are not the least suspicious of so-called cousin-name domains. A cousin-name domain is a URL like www.democratic-party.us that is "semantically correct" - in this case it makes it look like it should belong to the Democratic Party. The study also showed that most people do not identify sub-domain attacks in which the subdomain is used to semantically defraud -- like www.wachovia.pin-update.com has nothing to do with Wachovia.

Part of the problem is that people are people, not string matching machines. We are just not very good at remembering things verbatim, but we are pretty good at making sense of cues - which is what gets us into trouble. But that's not all. The problem is made worse by companies that register and use domains that have nothing in particular to do with their brand. Like www.accountonline.com, which belongs to CitiBank and is used to access credit card accounts. Why not use the regular citibank.com domain? Or at least citicards.com? Now, CitiBank is not the only financial institution that uses weird domains ... unfortunately, this is the rule rather than the exception.

What should we conclude from this? First of all, phishers and crimeware authors will make increasing use of deceptive domain names. This means that blacklisting will become less and less meaningful and that we will have to rely on whitelisting, heuristics, and our own ability to be careful. Not a happy thought.

What do we need to do? First of all, we need to educate our users (see www.SecurityCartoon.com and http://cups.cs.cmu.edu/antiphishing_phil/ for two lighthearted approaches). Second, service provides need to think about what domains they use and how any inconsistencies may come back to haunt them. And third, we need to develop tools that recognize what people can and cannot do.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Comments
9 comments Add a comment

I have seen a few fraudulent

I have seen a few fraudulent spammers and other would be thieves use such domain names to try and fool web site visitors and have learned to be wary of such sites. I try to look over the domain name of the site that I am visiting very carefully. If the root domain (the far right domain) does not match the institution that I think I should be visiting than I am skeptical as to the validity of the site I have landed on as to whether it is legitimate. Also I am generally cautious to check the security certificate of encrypted sites that I am visiting to ensure that it comes from a known source and is for the organization, whose web site I intend to be visiting.


The University that I have attended for the past few years used such a domain for bill pay emails that they sent out, which prompted me to call their finance department to verify that the email was legitimate. Speaking of Educational institutions I scrutinize all emails claiming to be originating from the University and if the domain name does not end in .edu I am suspicious. In reality the university in question appears to have sent a few emails out that ended in .com that were legitimate.


As for the article written by Markus Jakobsson I would hazard to guess that none of the URL's mentioned in the article are legitimate.


James D.
by James (not verified) on 7/29/08 at 7:52 pm | reply

Educating ourselves and

Educating ourselves and using the right online tools are key to preventing phishing attacks.
I work for Passpack
which is an online password manager and we are always trying to stress the importance of security on web.

Passpack lets you store the root of all sensitive information - you passwords.

It is the only online password manager with anti-phishing and with its auto-login feature you will only be logged into sites that are in your Passpack account - ensuring that the URL address is legit.

I wrote a post back in April on the Anti-Phishing Phil game. It's a great way to get people more aware of the seriousness of online security.

Louise
by Louise (not verified) on 7/30/08 at 8:21 am | reply

James, From what you are

James,

From what you are writing, you are more knowledgeable than the average user. Most people do not know how to evaluate a URL (for a 30-second tutorial, see http://www.securitycartoon.com/index.php?comic=20070621)


But as for the URLs I listed ... one of them is legitimate. The accountonline.com. The other two could have belonged to phishers. They actually do not, they belong to me. I registered them to demonstrate how a phisher could have taken them.

Cheers,
Markus
by Markus Jakobsson on 7/30/08 at 9:10 am | reply
View all comments »
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
view all newsletters »
Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace