Webpage Addresses – Identifying Deception

Webpage addresses consists of a hierarchical sequence of components. This article will focus of the main components and show how manipulating these components can be deceptive.  

Parts of a webpage address

We are going to break down each part of a webpage address or Uniform Resource Locator (URL) reading from the left to the right. First we’ll use a couple of westernu.edu examples and then we’ll look at some cybercriminal tricks.

Protocol

Image of a webpage address with https:// highlighted

The protocol or scheme tells your webbrowser how to talk to the webserver. For most webpages this is either going to be http:// for unsecured webpages and https:// for secure webpages. Your web browser software may put a lock icon next to the address when it is secure.

Host name

Image of a webpage address with www. highlighted

Following the colon-double-slash (://) is the host name. www is common but this can be anything the site owner wants. A period or dot (.) is used to separate host names from domain names. Some sites do not require a host name.

Domain name

Image of a webpage address with westernu.edu highlighted

Here is where it gets tricky. The domain name is always before the path or the last part of the address if no path is specified. The domain name will also never end in with a period or dot (.). We’ll see how cybercriminals use this trickiness for fool you in the next section.

Path

Image of webpage address with the path highlighted

The last part of an address is the path. If you are at the home page or root of a domain, the path isn’t always necessary. The path can be almost anything and it may be automatically generated for your session. Think of it as the file name of the webpage you are looking at.

Deceptive webpage addresses

Now that we are familiar with a normal webpage address, let’s look at some ways cybercriminals make deceptive webpages look legitimate.

Host name manipulation

Image of decptive webpage address with www.westernu.edu highlighted.

As mentioned in the previous section, the host name can be anything the site owner wants. In this case the attacker has made the hostname www.westernu.edu for the domain 123evil-site.com. You can watch out for this by remembering that the domain name is always directly before the path and it will never end with a dot as highlighted in the example above.

Also, don’t rely on the protocol being secure as an indicator that the site is safe. There are now free certificate providers that will issue the certificates used to secure websites to anyone. Always look for the domain name.

Path manipulation

Image of decptive webpage address with www.westernu.edu as the path highlighted.

Just like the host name, the path can be anything the site owner wants. In this case the attacker has made the path /westernu.edu/index.htm for the domain 123evil-site.com. You can watch out for this by remembering that the path comes after the domain name.

Username manipulation

Image of decptive webpage address with westernu.edu as the username highlighted.

Although it’s uncommon, sending the username before the host is supported. In this case the attacker has made the username westernu.edu for the domain 123evil-site.com. Be skeptical of the validity of the site if you see an at symbol (@) after the domain name. Some browsers will warn you if you visit a webpage formatted like this.

A simple rule to find the true domain name

Now that you know some of the tricks cyber criminals use to manipulate URLs to tick you. Here’s a simple rule to find the domain name.

1) Find the first single slash

URL http://www.westernu.edu/university/university-about with the first single slash highlighted

2) Backup two dots from the first single slash

URL http://www.westernu.edu/university/university-about with the 2nd dot back from the first slash highlighted

3) The true destination domain is between the slash and the second dot back

URL http://www.westernu.edu/university/university-about with the true domain westernu.edu highlighted

Practice

Q: What’s wrong with this URL?

https://www.westernu.edu.123evil-site.com/university/university-about/

A: The true destination domain is 123evil-site.com. The www.westernu.edu is part of the subdomain and is there to be a decoy to trick you.

 

Q: What is wrong with this URL?

https://www.123evil-site.com/www.westernu.edu/university/university-about/

A: Again the true destination domain is 123evil-site.com. The www.westernu.edu part of this domain is after the first single slash and is another decoy to trick you.

 

Navigating in the cloud

When supported by the cloud provider, WesternU’s IT department can create custom host names for your cloud application that are part of the westernu.edu domain. A popular example of this is bb.westernu.edu. Even when it’s not supported, the IT department can create shortcut webpage addresses that will redirect to your cloud application. Like go.westernu.edu or zoom.westernu.edu. You can use these shortcuts in documentation and emails.

Details

Article ID: 71333
Created
Fri 2/1/19 1:25 PM
Modified
Fri 10/9/20 11:01 AM