Phishing expedition

“Phishing” – the art of getting internet users to give personal information to a bogus website masquerading as a real one – is a phenomenon to watch out for.

This quiz asks you to spot whether 14 web pages are the sites they purport to be, or phishing attempts.

The fake sites seemed pretty obvious to me, but I’m online a lot (well, ALL the time :)) and I’ve read plenty of warnings about these things. I’ve been caught once, when an email that claimed to be from a friend enticed me to “sign in” to one of my instant messenger accounts. My doing so gave the scam site permission (note to self: always read the Terms of Service!) to log in to my account and send spam messages to any of my IM contacts who were online. Fortunately only one of those contacts was, and he alerted me immediately. Changing my password solved the problem because it prevented the scammer signing in to my account. Fortunately s/he did not copy my contacts, and the only damage – apart from a bemused friend – was my embarrassment.

Another friend felt he didn’t do very well in this quiz because he didn’t know what to look for. So, I thought it might be helpful if I posted here the reasoning I used when I did it. First, a brief description of internet addresses, which will (I hope) help to explain what I looked for.

Internet Addresses

1. Anatomy of a URL

A URL (internet address; URL is an acronym for Uniform Resource Locator) is made up of several parts:

  • the internet protocol – http:// or https:// (“http” is “Hypertext Transfer Protocol” and the “s” signifies “secure” – https:// is normally used anywhere you need to sign in)
  • the world wide web prefix – www.
  • the domain name – eg mysite
  • the domain extension – eg .com

Put them together and you get http://www.mysite.com or https://www.mysite.com

2. Directories (folders)

Most URLs, however, have extra bits after the extension. For example:

  • http://www.mysite.com/cars/fords/index.html
  • http://www.mysite.com/cars/toyotas/index.html

The parts of the URL after the first single slash (“/”) are folders used to structure the website’s content. The index.html is just the default page within the folder.

3. Subdomains

Some sites have stuff before the domain name. For example:

  • http://www.cars.mysite.com
  • http://cars.mysite.com (many URLs work with or without the “www” prefix)

The “.” (full stop – period for those in the Americas ;)) before the domain name indicates that the part of the address in front of the period is a subdomain (in this case “cars”) of mysite.com. Subdomains are used to divide large websites into sections or departments – more or less a fancy way of structuring a site as an alternative to using folders.

Big websites often have complex URLs – they might have a subdomain at the start, followed by the domain name and extension, and then several folders after that. To combine the examples above:

  • http://www.cars.mysite.com/fords/index.html

4. URLs and IPs

They are not the same thing, although I guess they could be described as two sides of the same coin. The URL is the human-readable address of a website in plain English. The Internet Protocol (IP) address is the actual location of the computer that hosts the website, expressed as a unique identifying number. Usually ‘the IP address is invisibly translated into a natural English “domain name” for ease of use. But technically speaking, the IP address is the true identifier of a web server…the domain name is simply a redirector pointer to help people find the web server.’ (About.com: What Is an ‘IP Address’? Is It the Same as ‘Domain Name’?, accessed 16 December 2011.) For a more technical article see HowStuffWorks: What is an IP address?

The Quiz

Now, the examples in the quiz. I think the most important (and most helpful) thing is to look at the address bar and analyse the parts of the URL, but in some cases there are additional indications that a site might be fake.

1. Yahoo

This is supposed to be a Yahoo site, but the address bar shows https://docs.google.com/ – obviously nothing to do with Yahoo. Another giveaway with this one is the terrible grammar and spelling in the text. It’s also unlikely that Yahoo would delete email accounts because of congestion (although they have been known to do odd things :)).

2. HSBC

This one was a bit tricky. It kind of doesn’t look like a bank’s website, but the first thing I noticed was that the address bar is showing a green strip. Some browsers use something like that to indicate that a site is probably genuine – red would indicate possible danger. I don’t know whether these indicators could be spoofed by bogus sites because I don’t know enough about how browsers do it. The best indicator here, though, is that the URL looks genuine: https://www.us.hsbc.com. The us. before the domain is a subdomain of hsbc.com, and the site is using the https protocol.

3. Facebook

This one looks pretty obviously correct – the URL is clearly Facebook’s real address, and it’s using https.

4. Twitter

This one is fake because the address bar shows that the real domain is all09.info. It has twitter.com as part of the URL, but the period between twitter.com and all09 indicates that “twitter.com” is a subdomain of “all09.info”. In this case the additional period between twitter and com is probably intended to make the URL look genuine. Note that anyone could add a “twitter.com” subdomain to their domain; subdomain names can be anything meaningful to the owner. A second indication that this site is fake is that it uses an outdated Twitter design. No https.

5. American Airlines

Fake, for the same reason as the Twitter one. This URL has aa as part of the address, but it’s a subdomain of airlinesaamemeber.com, with possibly poor spelling thrown in at no extra charge. No https.

6. Amazon

This one is real – the address clearly shows www.amazon.com.

7. PayPal

Fake, but perhaps a bit harder to spot because of the complex URL. In this case the first single forward slash (“/”) is the most important thing to note, because it separates the actual domain name from the added bits that make it look like it might be a genuine PayPal URL. The domain name is http://cedij.com.mx – which is a real Mexican domain, although it doesn’t have a live website. All the stuff after that first / is folder names, including one named paypal.com for good measure. PayPal always uses https; this site doesn’t.

8. Comcast

Another coloured bar, which might indicate that the browser has decided the URL is genuine. In any case, https://login.comcast.net is a genuine URL, with login a subdomain of comcast.net.

9. Amazon

Alarm! Alarm! The address is shown in IP format, which is often used by fake sites. A genuine website of a major company would be unlikely to use anything but its human-readable URL. And Amazon always uses https.

10. Hulu

Real, with secure a subdomain of hulu.com.

11. eBay

Another fake, with the single forward slash the crucial pointer. In front of the slash is http://admitr.ytfh.co.uk which, clearly, is not eBay. Following the slash, eBayISAPI.php and the following bits just point to the fake sign-in page. Also, eBay always uses https; this site doesn’t.

12. zyngapoker

A fairly obvious fake. http://h1.ripway.com is not ZyngaPoker, which is apparently a Facebook application (I’m not the least bit interested in poker – online or otherwise – and I’d never heard of it before this). No https.

13. Dropbox

This one was easy for me because I use Dropbox, but it’s fairly clear that it’s genuine.

14. Battle.net

Another tricky one. Another coloured bar helps. Again, the first single forward slash is the important component of the URL. In front of it, https://us.battle.net is the actual domain name. Following the slash are two folder names and, if I’m reading the URL correctly, the referrer URL – the page the user visited before arriving at this page.

Caught on Video

Just over two years ago the Galveston Daily News reported that “Police on Friday identified a Lufkin man who accidentally drove a $2 million Bugatti Veyron, a rare automobile that is perhaps the world’s fastest, into a saltwater lagoon. Andy Lee House, 34, owner of Performance Auto Sales, told The Daily News on Wednesday that a low-flying pelican distracted him, causing him to jerk the steering wheel a bit — and he then dropped his cell phone.”

Unknown to Andy, however, his “accident” was captured on video. He was driving his Bugatti along the water frontage. Two guys driving on I45, parallel to the frontage road, spotted the car (thinking it was a Lamborghini) and one started filming it. They kept pace with the Bugatti at about 80km/h until it drove off the road and into the lagoon.


Warning: bad language at time of impact!

Now, as reported in The Age today, Andy is being sued by his insurance company, which claims he deliberately ditched the car in order to claim a $2 million payout. The insurer argues there is no pelican to be seen in the video, and no skid marks on the road.

I’ll leave you to draw your own conclusion.

Interestingly, when I first got on the internet in 1998 two of the first people I met online were from around Lufkin, a city of 35,000 in eastern Texas. It’s south-east of Dallas, and about 275km north of Galveston. I wonder if they know Andy House and Performance Auto Sales?