Phishers take advantage of common user behavior. Phishers know that people often see what they want to read rather than what is actually displayed in a message or hyperlink. They know that when we read in haste, we may pay less attention to punctuation marks. They know, too, that we are generously tolerant of typos, that we often "skip over" strings in haste, or that we may not continue to read scrupulously to conclusion once we encounter the word or name that we expect.
Visual deception has often been used by fraudsters or scammers to phish Paypal, including an iconic homographic attack where the phishers used a visually similar string, PayPaI. Other deceptions - obfuscation, imitation of URLs dynamically generated by content management systems, SSL protection - often accompany visual deception.
I searched the APWG's eCrime Exchange (eCX) block list to find hyperlinks associated with phishing campaigns that substituted the string peypal somewhere in the domain names or hyperlinks for the brand Paypal. Figure 1 shows hyperlinks from recent phishing campaigns against Paypal that were reported to the block list.
These results suggest that visual deceptions are still common. Let's consider what forms of deception these hyperlinks employ (Note: I use a security mail list convention "hxxp" to emphasize that readers should treat these links as malicious):
hxxp://confirmation-login.services-peypal.com/paypal/ - This hyperlink uses several deceptions. It uses peypal in the domain name to thwart online brand protection efforts to identify domain name registrations that infringe on the Paypal brand. It also uses the brand /paypal/ in a directory, which also happens to be the last string of characters Latin-script, "left-to-right" readers encounter. Ample use of slashes, periods and hyphens add distraction to the deception.
hxxp://www.appspeypal.url.ph/paypal.com_it_home.html - This hyperlink also uses multiple deceptions and obfuscation. peypal is again in the domain name. Familiar strings - "apps" and "url"- are present as well (think "comfort foods"). Notice that paypal.com is present in the URL. It's not the domain name - it's a component of the web page name (html) - but it is "dead center", a prominent element in the URL. Note how difficult it is to overlook: look away, then return your eyes to the URL: do you see "peypal" or "paypal" first?
hxxp://peypal.tips, http://peypal.today, hxxp://peypal.solutions, hxxp://peypal.guru, hxxp://peypal.center - These hyperlinks substitute peypal for paypal in new Top Level Domain delegations (tips, solutions, guru, and center are new TLDs). This is a fairly simple deception to detect and block. It is quite possible that phishers are testing new TLDs to see whether blocking or suspension practices are different from legacy TLDs.
hxxps://www.nurturalhorse.com/wp/peypal/cgi-bin/ - This hyperlink uses peypal to name a subdirectory of what appears to be a legitimate (or possibly abandoned) business domain. The site was unreachable as I compose this post. It also uses SSL (https) to instill confidence that the link is trusted and secure.
hxxp://peypal.com.confirmation.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.ouq.jmlt.ca/9f3885a038f82d43730038c8d9043a43/Login.php, and hxxp://peypal.com.confirmation.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.ouq.jmlt.ca/727b219497204cedb818ed9a818cee8b/Login.php?login - Even pros have to look carefully to determine that the domain names in these URLs are registered in dot CA (Canada) not dot COM. These are most likely "messy URLs". The phishers mimic the URLs that some web content management systems dynamically create: the average user sees such URLs all the time and has become desensitized to unreadable strings.
What should you take away from this modest dive into phishing URL data?
- Deceptions remain a common phisher convention.
- Visual deception - strings that look like a brand or familiar name - remain popular.
- Phishers are agnostic when it comes to Top Level Domains.
- Phishers appear to be experimenting with new Top Level Domains.
- Phishers obfuscate URLs; in particular, phishers mimic content delivery systems to generate "messy URLs" to deceive you (and to defeat antispam measures).
And the lessons to learn?
- Read the entire URL.
- Read what is displayed, not what you expect to be displayed.
- Take the time to distinguish the domain name from the URL.
- Resist the temptation to stop reading once you've encountered a brand or familiar string of characters in URLs and only use this to conclude the URL is safe.
Be patient and careful with URLs.
Shameless plug: the APWG eCrime Exchange (eCX) is an excellent source of phishing data and collaboration. You can contact me or matt at apwg.org to learn about membership levels that include access to these valuable resources.