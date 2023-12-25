Suara.com – Cybercriminals often disguise malicious and phishing links, trying to confuse email filters.

What they want is to get victims to click on an address that actually leads to another address.

Here Kaspersky will explain the most common methods used by cybercriminals to disguise malicious or phishing URLs.

The simplest way to hide the real domain in the address is to use

URL @ symbol.

This is a perfectly legal symbol that can be used to integrate logins and passwords into website addresses — HTTP makes it possible to pass credentials to a web server via a URL simply by using the login:(email protected) format.

If the data before the @ symbol is incorrect and not suitable for authentication, the browser will simply discard it, redirecting the user to the address located after the @ symbol.

Illustrate HTTP. (Miguel Á. Padriñán/Pixabay)

So, cybercriminals take advantage of this method, they create a convincing page name, use a legitimate site name in it, and place the real address after the @ symbol.

For example, look at our blog address which is disguised like this:

https://convincing-business-related-page-name-pretending-to-be-on-google.com@kaspersky.com/blog/

This looks like a page with a lot of words in the name hosted somewhere on

Google domain, but the browser will take you to https://kaspersky.com/blog/.

In the former method, cybercriminals often try to confuse users with long page names to divert their attention from the actual address.

But there is a way to hide it completely — by changing a site's IP address to an integer.

As is known, IP addresses are not easily stored in a database.

Therefore, at some point, a mechanism was created to convert IP addresses to integers (which are much more convenient to store) and vice versa.

And nowadays, when modern browsers see a number in a URL, they automatically convert it to an IP address.

Phishing email illustration. (Freepik)

When combined with the same @ symbol, it effectively hides the domain

actually.

This is what the link to our company website looks like:

https://google.com…%@3109359386/

In using this trick, cybercriminals try to focus on the domain

before the @ symbol, and makes everything look like some kind of parameter —

various marketing tools often insert all kinds of alphanumeric tags into web links.

Another fairly simple way to hide the original URL is to use one of the legitimate link shortening services.

Several years ago, Google and some of its partners created the Google AMP framework —

a service intended to help web pages load faster on devices

cellular.

In 2017, Google claimed that pages with AMP load in less than a second and use 10 times less data than similar pages

without AMP.

Now attackers have learned how to use this mechanism for phishing.

An email contains a link that starts with “google.com/amp/s/”, but if the user

clicking on it, they will be redirected to a site that does not belong to Google.

Illustration of internet browsing. (Pexels)

Another way to hide a page behind someone else's URL is to use ESP; namely a service for creating legitimate newsletters and other incoming emails.

In short, an attacker will use one of these services, creating a delivery campaign

email, entering a phishing URL, and as a result getting a ready-to-use clean address,

which has a reputation as an ESP company.

ESP companies certainly try to fight abuse of their services, but this is not always successful.

“We recommend proposing it with a protection solution. Besides, we

recommends using the solution both at the corporate email server level, and at the internet-enabled work device level,” said Roman Dedenok, security expert at Kaspersky.