Privacy - URL Tricks

The other day I received an Email from a well known computer professional who was concerned that he had been tricked by a scam web site. This is one of the fake sites - a paypal fake that was so good it looked real.

He got there by following a link in an Email that looked like this:

Dear paypal user, We would like to inform you that we are upgrading our server to install a better protection software. So please click here and fill in the registration form again to renew your account. 

Now, if this were an infected message, you'd actually see www.paypal.com on the status bar of your browser, but when you clicked on it, it would go a fake paypal site. I tried to actually build a fake link into this page (that would say paypal but actually bring you back here), but my web server's antivirus program kept deleting the page when I tried to post it!

How they do it

I you look at the source code for the link in an infected message, you'll see this:

<a
href="http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01@www.somefakepayapalsite.com ">click here</a>

This trick takes advantage of the way URL (web addresses) are formed. Usually, a link to a web site such as this one is in the form

http://www.alwaysuseprotection.com

When the web site receives a request from that URL, it internally processes the request using an anonymous user account - that's an account on the web server designed to handle web requests from outsiders.

But it is possible to request a web server to use a different account. This is normally done for sites that require user names and passwords to even view the site. You can specify the user name as part of the password like this:

http://someuser@www.alwaysuseprotection.com

So in the scam link above, the http://www.paypal.com%01%01... is all actually part of the user name! The URL is the part after the @ symbol.

Why the %01? That's a non printable space character. So, when you move your mouse over the link in Internet Explorer, it only shows the first part of the link. It looks like the URL, but it's really just the fake user name (The Netscape/Mozilla displays an "illegal character" symbol, so it's easier to spot the fake). 

What happens when you click their link?

When you click the link in the virus Email, it redirects you to their fake paypal site. This site does the following:

• Updates your address bar to show www.paypal.com - misleading you into thinking that you really are on paypal (that's why I always recommend you type in the URL yourself rather than clicking a link).
• Tries to trick you into giving them sensitive personal information.

Click here to see an image of  the actual screen that I saw when I clicked on the link.

This also emphasizes the importance of having active virus scanning on your system at all times (See chapter 4 in the book).

How to avoid the trap

Follow the recommendations in chapter 15 (Scams) of "Always Use Protection: A Teen's Guide to Safe Computing." You'll find rules on how to avoid this kind of attack. Also, don't be afraid to look at the HTML source for a web page - if you see this kind of link, it's probably a scam.