Obfuscated URLs

Even an expert would have to look twice at this phishing URL I received (claiming to be from EBay):

http://signin.ebay.com.ws.eBayISAPI.dll.UsingSSL.Yes.SignIn.siteid.pageType.
copartnerid.aK5Z8dY21qSoLRwOAwX7ejfXWHh71P87nEUrhS1bcPXHQ.wildcat5.com/
~truehome/data/module.dll.php?SignIn=1&co_partnerId=2&siteid=0&ru=&
pp=pass&pageType=708XeMWZllWXS3AlBX&customerid=%TO_EMAIL&VShqAhQRfhgTDrf=
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&
co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=
ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA

How can you tell whether this is a legitimate link or not?  A Web site URL has the form:

http://[site-specific-stuff].[domain].com/[site-specific-stuff]

Check the domain carefully, it’s the clue to the true owner of the web site.  Even if it looks good visually you might want to check twice, e.g. http://MICROSOFT.COM and http://MICR0S0FT.COM are not the same (notice the sneaky switch from O’s to zeroes?) It’s always best to retype the URL to make sure you’re going where you think you are.

Stripping out all the officially-cryptic obfuscation from the above link, you can reduce it to:

http://wildcat5.com/~truehome/data/

Does that look like an official EBay URL?  If you don’t immediately reject it, you will find that this URL brings you to a fake EBay front-end, asking for your logon details, and I’m sure later on for your credit card number.

I used Internet Explorer 7’s Phishing reporting system on this link, and the link it redirects to, for the first time, and can recommend it!  You click on the phishing icon, say you’d like to report the site, and you’re taken to a Microsoft site where you can say "I think this site is a Phishing site."  Input a visual/aural code which prevents the phishing filter itself from being spammed, and the data will contribute to the community knowledge base, soon (one hopes) automatically flagging the site as a phisher for users unsavvy enough to have clicked on the link without close examination.

Comments are closed.