Foundations: Avoiding Dangerous URLs
By Scott Pinzon, Editor-in-Chief, WatchGuard LiveSecurity Service

[In 2005, LiveSecurity wants to help network administrators raise the level of computer security awareness among their users. We offer this article to any admin whose users get themselves into trouble by going "click-happy" all over the Web and in HTML e-mails. Please feel free to forward this within your organization to non-technical users who you feel would benefit from a more educated approach to Web surfing. -- Scott]

You're shopping and sightseeing in a posh retail district downtown. Excited by the unusual stores and fascinating landmarks, you wander happily from one attraction to another. Then you look around, and -- oops! Somehow you strayed into a dangerous part of town. Dusk is falling, and the nice-looking tourists have vanished. A group of toughs glowers at you from the shadows. Concerned, you high-tail it back to the "nice" part of town.

Using the World Wide Web can be like that, too. This article explains how to recognize and avoid dangerous Web "neighborhoods" that try to lure you in and harm your computer or steal your personal information. The moral of the story is simple: To surf safely, look before you click.

A Web of Threats

Today, over 800 million people use the Internet -- more than enough to attract thieves and scam artists. You might have already experienced some obvious attempts to trick you via e-mail (you haven't sent any money to some poor soul in Nigeria, have you?). Users like you have caught on to classic e-mail scams; thus, many attackers have switched to the Web to continue their deceptions. Their Web attacks count on you clicking on a Web page that the attacker designed maliciously. A clever attacker can set up a site so that if you click on it even once, within seconds he can take over your computer. Even worse, you might not have to go to his site. If you click a link that leads to his site, he could feasibly "own" your computer. Beware!

How is that possible?

Whenever you visit a Web page, lots of invisible activity can happen on your computer. For example, if the Web site welcomes you with your own name, that's because last time you visited, it put a special text file called a cookie on your computer. If a stock ticker scrolls past or sports scores update automatically, the site could be executing a script on your computer. This stuff is normal. But the fact that your computer is willing to receive and execute instructions from a Web site is what hackers exploit.

Fortunately, clumsy attackers set traps that you can see before stepping into them -- if you know what to look for. To recognize when you're entering a tough Web "neighborhood," read this short explanation of URLs.

What Is a URL?

At its most basic level, a Uniform Resource Locator (URL) is the stuff you type in your Web browser so you can visit a site. A URL is the global address of a document, Web page, file, or other resource on the World Wide Web. That's why, as you click from page to page on a Web site, the URL changes.

Some URLs are short, like this:

http://www.google.com

Others are long, like this:

http://www.amazon.com/exec/obidos/tg/detail/-/B0006GK81E/qid=1104967686/sr=8-1/ref=pd_csp_1/002-1050943-0200854?v=glance&s=toys&n=507846

Whether they are short or long, URLs have the same general structure. That's how hackers are able to exploit them -- and also how you can sometimes see what an attacker is trying to do, before you click.

Parts of a URL

URLs follow this general structure:

http://www.kunstlerandsons.com/instruments/trumpets/ClearBright.htm

The letters before the // show what protocol is being used to request the desired Web resource. For example, next time you buy something from a secure e-commerce site, watch and you'll usually see the http become https, to signal that a special security protocol is protecting your online transaction. If you're in the middle of a purchase and the https becomes something else, such as hcp://, someone might be up to something you don't want them to do. So if in doubt, keep an eye on the protocol.

The next section (between the // and the next /) is the name or address of a Web server. A server is just a computer that "serves up" information to other computers. Since computers understand numbers as well as words, this next section might be the address of the server, such as 206.123.10.240, or the name of the server. This is another field to watch for shenanigans.

For example, click the Kunstler and Sons link above and see how the server name in the URL changes when you arrive at the Web page. You're not really landing at the server specified above. This technique is called a redirect. Redirects can happen legitimately or illegitimately. Last year some hackers attacked Citibank, which uses www.citibank.com. When victims arrived at Citibank's site, they saw a pop-up window that looked like part of Citibank's site, and even used the Citi logo, but was really put there by hackers. When victims innocently clicked in the pop-up box, they were redirected to a hacker Web site that still looked like Citibank's site, and requested the user's password and account number. The only tell-tale clue that the site was not a safe place to divulge your password was that after you clicked the pop-up, the URLs said something else besides www.citibank.com. That's an example of why, while you're Web surfing, you should keep an eye on this field.

The rest of a URL describes a path to a specific file on the server. Most Web resources are HyperText Markup Language (HTML), so you'll encounter lots of URLs that end with .htm or .html. Certain types of documents end in .pdf, or .txt, or any number of other endings. What you generally do not want to see is .exe. This indicates that instead of leading to a file, the URL triggers a program that can execute on your computer. Unless you are intentionally trying to download a program (for example, a setup/install program) from a trusted source, avoid URLs that contain .exe.

You should also become familiar with country codes in URLs. If a URL ends with .de, that's a German site. If it ends in .ru, that's a Russian site. If you normally bank with Bank of America and suddenly their Web site seems to be filled with URLs ending in .ro, chances are somebody is fooling with you.

Fooling with All of a URL

Besides paying attention to parts of a URL, you should also pay attention to the entire URL. When you click on a URL in a document or on a Web page, that link does not have to go where it says it goes. For example, this URL appears safe to the eye:

http://www.microsoft.com

In reality, if you click it, you'll go to the site of a known hacker collective. You can see this before you click if you use Internet Explorer's Status Bar. In Internet Explorer, click the View menu and enable Status Bar. Doing so displays a gray bar at the bottom of Internet Explorer frames. When your cursor hovers over a URL, the Status Bar will show where the URL really leads. (You can try it with the link above; the page it leads to looks menacing, but is safe.) To a computer, the URL displayed on the Web site is merely a collection of letters for humans to read. The computer reads an HTML tag that is not usually visible to you. Sometimes hackers will exploit this fact, so leave your Status Bar enabled and look at where a URL will lead you before you click on it.

Stand Up for Yourself

Not all Web-based attacks are visible to the intended victim. Sophisticated hackers use tricks to hide what they're doing (they can even fool the Status Bar). But such sophisticated attacks are rare. Most Internet users pay no attention to URLs, so the average attacker doesn't bother to hide his URL stunts. Though you won't understand everything you see happening in URLs, make a habit of keeping an eye on them.

As an adult, you've learned a host of minor but useful self-defense behaviors. When you attend a crowded public event, you don't leave your purse lying unattended. When you visit an urban area, you don't wander around flashing your cash. In an unfamiliar neighborhood, you don't loiter in the shadows. These preemptive measures seem reasonable and simple, right? Think of watching URLs as another minor self-defense behavior that will become second-nature to you. When you spot trouble, simply don't click on it -- and instantly, you're back in a safe neighborhood. ##

 

This website is protected by copyright 1996 Dolphie and its licensors. All rights reserved.
A link is included on each page for non-author created graphics used, if required.
Last Update: 11/04/2007 04:10:17 PM