Top 5 #InfoSec Reads: August 11-18
Top 5 #InfoSec Reads: August 18-27

Is it a Phish? Common Deceptions in Phishing URL composition

Phishers take advantage of common user behavior. Phishers know that people often see what they want to read rather than what is actually displayed in a message or hyperlink. They know that when we read in haste, we may pay less attention to punctuation marks. They know, too, that we are generously tolerant of typos, that we often "skip over" strings in haste, or that we may not continue to read scrupulously to conclusion once we encounter the word or name that we expect.

Visual deception has often been used by fraudsters or scammers to phish Paypal, including an iconic homographic attack where the phishers used a visually similar string, PayPaI. Other deceptions - obfuscation, imitation of URLs dynamically generated by content management systems, SSL protection - often accompany visual deception.

I searched the APWG's eCrime Exchange (eCX) block list to find hyperlinks associated with phishing campaigns that substituted the string peypal somewhere in the domain names or hyperlinks for the brand Paypal. Figure 1 shows  hyperlinks from recent phishing campaigns against Paypal that were reported to the block list.


Figure 1. APWG Ecrime Exchange Data Search Results for "peypal"

These results suggest that visual deceptions are still common. Let's consider what forms of deception these hyperlinks employ (Note: I use a security mail list convention "hxxp" to emphasize that readers should treat these links as malicious):

hxxp:// - This hyperlink uses several deceptions. It uses peypal in the domain name to thwart online brand protection efforts  to identify domain name registrations that infringe on the Paypal brand. It also uses the brand /paypal/ in a directory, which also happens to be the last string of characters Latin-script, "left-to-right" readers encounter. Ample use of slashes, periods and hyphens add distraction to the deception.

hxxp:// - This hyperlink also uses multiple deceptions and obfuscation. peypal is again in the domain name. Familiar strings - "apps" and "url"-  are present as well (think "comfort foods"). Notice that is present in the URL.  It's not the domain name - it's a component of the web page name (html) - but it is "dead center", a prominent element in the URL. Note how difficult it is to overlook: look away, then return your eyes to the URL: do you see "peypal" or "paypal" first?

hxxp://,, hxxp://, hxxp://, hxxp:// - These hyperlinks substitute peypal for paypal in new Top Level Domain delegations (tips, solutions, guru, and center are new TLDs). This is a fairly simple deception to detect and block. It is quite possible that phishers are testing new TLDs to see whether blocking or suspension practices are different from legacy TLDs. 

hxxps:// - This hyperlink uses peypal to name a subdirectory of what appears to be a legitimate (or possibly abandoned) business domain. The site was unreachable as I compose this post. It also uses SSL (https) to instill confidence that the link is trusted and secure.

hxxp://, and hxxp:// - Even pros have to look carefully to determine that the domain names in these URLs are registered in dot CA (Canada) not dot COM. These  are most likely "messy URLs". The phishers mimic the URLs that some web content management systems dynamically create: the average user sees such URLs all the time and has become desensitized to unreadable strings.

What should you take away from this modest dive into phishing URL data?

  1. Deceptions remain a common phisher convention.
  2. Visual deception - strings that look like a brand or familiar name - remain popular.
  3. Phishers are agnostic when it comes to Top Level Domains.
  4. Phishers appear to be experimenting with new Top Level Domains.
  5. Phishers obfuscate URLs; in particular, phishers mimic content delivery systems to generate "messy URLs" to deceive you (and to defeat antispam measures).

And the lessons to learn?

  • Read the entire URL.
  • Read what is displayed, not what you expect to be displayed.
  • Take the time to distinguish the domain name from the URL.
  • Resist the temptation to stop reading once you've encountered a brand or familiar string of characters in URLs and only use this to conclude the URL is safe.

Be patient and careful with URLs.

Shameless plug: the APWG eCrime Exchange (eCX) is an excellent source of phishing data and collaboration. You can contact me or matt at to learn about membership levels that include access to these valuable resources.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)