Phishing expedition

“Phishing” – the art of getting internet users to give personal information to a bogus website masquerading as a real one – is a phenomenon to watch out for.

This quiz asks you to spot whether 14 web pages are the sites they purport to be, or phishing attempts.

The fake sites seemed pretty obvious to me, but I’m online a lot (well, ALL the time :)) and I’ve read plenty of warnings about these things. I’ve been caught once, when an email that claimed to be from a friend enticed me to “sign in” to one of my instant messenger accounts. My doing so gave the scam site permission (note to self: always read the Terms of Service!) to log in to my account and send spam messages to any of my IM contacts who were online. Fortunately only one of those contacts was, and he alerted me immediately. Changing my password solved the problem because it prevented the scammer signing in to my account. Fortunately s/he did not copy my contacts, and the only damage – apart from a bemused friend – was my embarrassment.

Another friend felt he didn’t do very well in this quiz because he didn’t know what to look for. So, I thought it might be helpful if I posted here the reasoning I used when I did it. First, a brief description of internet addresses, which will (I hope) help to explain what I looked for.

Internet Addresses

1. Anatomy of a URL

A URL (internet address; URL is an acronym for Uniform Resource Locator) is made up of several parts:

  • the internet protocol – http:// or https:// (“http” is “Hypertext Transfer Protocol” and the “s” signifies “secure” – https:// is normally used anywhere you need to sign in)
  • the world wide web prefix – www.
  • the domain name – eg mysite
  • the domain extension – eg .com

Put them together and you get or

2. Directories (folders)

Most URLs, however, have extra bits after the extension. For example:


The parts of the URL after the first single slash (“/”) are folders used to structure the website’s content. The index.html is just the default page within the folder.

3. Subdomains

Some sites have stuff before the domain name. For example:

  • (many URLs work with or without the “www” prefix)

The “.” (full stop – period for those in the Americas ;)) before the domain name indicates that the part of the address in front of the period is a subdomain (in this case “cars”) of Subdomains are used to divide large websites into sections or departments – more or less a fancy way of structuring a site as an alternative to using folders.

Big websites often have complex URLs – they might have a subdomain at the start, followed by the domain name and extension, and then several folders after that. To combine the examples above:


4. URLs and IPs

They are not the same thing, although I guess they could be described as two sides of the same coin. The URL is the human-readable address of a website in plain English. The Internet Protocol (IP) address is the actual location of the computer that hosts the website, expressed as a unique identifying number. Usually ‘the IP address is invisibly translated into a natural English “domain name” for ease of use. But technically speaking, the IP address is the true identifier of a web server…the domain name is simply a redirector pointer to help people find the web server.’ ( What Is an ‘IP Address’? Is It the Same as ‘Domain Name’?, accessed 16 December 2011.) For a more technical article see HowStuffWorks: What is an IP address?

The Quiz

Now, the examples in the quiz. I think the most important (and most helpful) thing is to look at the address bar and analyse the parts of the URL, but in some cases there are additional indications that a site might be fake.

1. Yahoo

This is supposed to be a Yahoo site, but the address bar shows – obviously nothing to do with Yahoo. Another giveaway with this one is the terrible grammar and spelling in the text. It’s also unlikely that Yahoo would delete email accounts because of congestion (although they have been known to do odd things :)).


This one was a bit tricky. It kind of doesn’t look like a bank’s website, but the first thing I noticed was that the address bar is showing a green strip. Some browsers use something like that to indicate that a site is probably genuine – red would indicate possible danger. I don’t know whether these indicators could be spoofed by bogus sites because I don’t know enough about how browsers do it. The best indicator here, though, is that the URL looks genuine: The us. before the domain is a subdomain of, and the site is using the https protocol.

3. Facebook

This one looks pretty obviously correct – the URL is clearly Facebook’s real address, and it’s using https.

4. Twitter

This one is fake because the address bar shows that the real domain is It has as part of the URL, but the period between and all09 indicates that “” is a subdomain of “”. In this case the additional period between twitter and com is probably intended to make the URL look genuine. Note that anyone could add a “” subdomain to their domain; subdomain names can be anything meaningful to the owner. A second indication that this site is fake is that it uses an outdated Twitter design. No https.

5. American Airlines

Fake, for the same reason as the Twitter one. This URL has aa as part of the address, but it’s a subdomain of, with possibly poor spelling thrown in at no extra charge. No https.

6. Amazon

This one is real – the address clearly shows

7. PayPal

Fake, but perhaps a bit harder to spot because of the complex URL. In this case the first single forward slash (“/”) is the most important thing to note, because it separates the actual domain name from the added bits that make it look like it might be a genuine PayPal URL. The domain name is – which is a real Mexican domain, although it doesn’t have a live website. All the stuff after that first / is folder names, including one named for good measure. PayPal always uses https; this site doesn’t.

8. Comcast

Another coloured bar, which might indicate that the browser has decided the URL is genuine. In any case, is a genuine URL, with login a subdomain of

9. Amazon

Alarm! Alarm! The address is shown in IP format, which is often used by fake sites. A genuine website of a major company would be unlikely to use anything but its human-readable URL. And Amazon always uses https.

10. Hulu

Real, with secure a subdomain of

11. eBay

Another fake, with the single forward slash the crucial pointer. In front of the slash is which, clearly, is not eBay. Following the slash, eBayISAPI.php and the following bits just point to the fake sign-in page. Also, eBay always uses https; this site doesn’t.

12. zyngapoker

A fairly obvious fake. is not ZyngaPoker, which is apparently a Facebook application (I’m not the least bit interested in poker – online or otherwise – and I’d never heard of it before this). No https.

13. Dropbox

This one was easy for me because I use Dropbox, but it’s fairly clear that it’s genuine.


Another tricky one. Another coloured bar helps. Again, the first single forward slash is the important component of the URL. In front of it, is the actual domain name. Following the slash are two folder names and, if I’m reading the URL correctly, the referrer URL – the page the user visited before arriving at this page.

Interview with a Vampire… er, Malware creator

“Do not run IE ever, not even once.”
~ Malware developer

Every city in the world has a street you shouldn’t visit at night, where thieves and scam artists live and you probably won’t leave with your wallet intact. This also stands true for the Internet, although getting to these virtual places is rather easier because they’re more likely to show up in your own computer in the form of programs—malware, scripts or other software—designed with a malicious purpose. In the early days such programs were created as pranks or bad jokes, but today they are being used for more nefarious purposes (usually to steal money, personal data or other information from the victim).

In an interesting article, Interview with a Malware creator, at Softcity, Miguel Esquirol, a Montreal writer, blogger and journalist, delves into the shadowy world of the computer hacker.

The quote above is one of several pieces of advice the hacker offered on keeping safe online. I highlighted that one for two reasons:

First, because Internet Explorer is notoriously prone to hack attack. Recent versions are better, but it’s still the browser most likely to be exploited as a way into your computer. Of course, historically it has been the most used browser—but that’s only part of the story. It took years for Microsoft to acknowledge IE’s shortcomings, and even now they still often take longer to fix vulnerabilities than other browser developers. Yet, because of its ubiquitous distribution around the world, web developers go out of their way to make websites work properly with Internet Explorer.

This brings me to the second reason—Microsoft’s lack of commitment to web standards. As far as I’m aware no browser embraces the standards completely, but Microsoft has been consistently reluctant to embrace them, insisting instead on developing their own specifications (which, of course are unique to IE, and won’t work in any other browser unless the other developers choose to include Microsoft’s ideas in their own browsers). Web developers are more or less forced to put a lot of time and effort into getting their sites to work properly in IE simply because it is so universal—a situation due more to Microsoft’s marketing and captive market than to IE’s suitability or competence as a browser.

When you use a less common—but more standards-compliant—browser, as I do, it’s galling when you come across a site that says “your browser is unsupported, please update to a more modern browser.” I shout at them, “My browser is modern. It’s your web design that’s out of date!”

If web designers refused to jump through hoops to get their sites working in IE Microsoft would be forced to get their act together and build a standards-compliant browser. IE6, released in 2001 as the standard browser in Windows XP, is a particularly cantankerous browser, and it’s often difficult to get it to render sites properly. Sadly, many corporate users were tied to it because their IT departments were committed to Microsoft and Internet Explorer wasn’t updated for five years. At its peak, Microsoft had over 85% (IE6 71% and IE5 14%) of the market. Last month Microsoft’s share of the market had dropped to 21.2% (IE6 1.2%, IE7 3.4%, IE8 11.5%, IE9 5.1%). It has been overtaken by Google Chrome (33.4%) and Mozilla Firefox (38.1).

Since both Mozilla and Google pay more attention to standards, perhaps my days of seeing that dreaded “browser unsupported” message are limited. I’m not holding my breath, though!