Website Phishing: Is That Website Real or Am I Being Attacked?

We’re talking a lot about phishing with our clients as of late and with good reason. According to the latest Data Breach Investigation Report, phishing is one of the biggest threats to an organization and its information, and has been on a steady rise since 2011.

When we talk about phishing, which in its simplest definition is an illegal attempt to acquire sensitive information by masquerading as a trustworthy entity (link to: http://en.wikipedia.org/wiki/Phishing), there are a number of flavors of attacks, including email, malware and phone phishing attacks. One type that has been increasing in popularity is website forgery and that’s the one we are going to dig into today.

Website phishing or forgery is typically the second step in a phishing email attack. An email will encourage you to click on a link that sends you to a website where you are prompted to provide information (often your credentials). When you land on the website it will often look exactly like something you’d expect (for example, you get an email from your “bank” and when you click on the link it takes you to a web page that looks exactly like the real web page of your legitimate bank).

Is it real?

The question is, how do you tell if the site is real or not?

One of the biggest indicators of the legitimacy of the website is the domain name. The domain name is the web address that you type into your browser.

The domain name – for this post I’ll use the fake site example.com– at a high level is broken up into a couple parts:

  • .com – this is the top-level domain name
  • example – this is the second-level domain name

So when you go example.comyou are going to go to the Example home page – easy enough. After that it can get a bit tricky and that’s where the attackers are looking to catch you off guard. Below are three of the most common tricks used in website phishing.

Trick 1

One of the most common ways we see attackers “play” with domain names is to transpose letters or alter the spelling of names ever so slightly. For example, using our website, an attacker might use examplle.com(adding an additional “l” in the name) or exmaple.com(switching the placement of the “a” and the “m”). What an attacker is counting on when using this method is 1) our lack of attention to what we are doing and 2) that we tend to read whole words as opposed to individual letters (link to: http://www.mrc-cbu.cam.ac.uk/people/matt.davis/cmabridge/) so we won’t catch the sleight of hand.

It’s important to remember that domain names are exact and any change, no matter how slight, can take you to a site you weren’t intending to go.

Trick 2

Another common way we see website phishing attacks work is by attackers taking advantage of our general lack of understanding of domain name structure.

As mentioned previously, there is a basic format to a domain name (second-level domain + top-level domain). Where it gets tricky is when you add subdomains and paths/subpages. Generally, everything before example.comis considered a subdomain and everything after is a path/subpage. It’s essential that you always know the domain name you are going to because that is the ultimate destination.

A subdomain, which can be used to assign a unique name to a particular department, function or service related to a site, is all the text to the left of the domain name. For example.com, let’s say they host their email and blog externally so they created subdomains for them – mail.example.comand blog.example.comrespectively. The domain is still example.combut now we have subdomains of mail and blog where those two distinct functions live.

On the other side of the domain name are the paths or subpages. These are the inner pages or files that are housed on your website. For our example.comsite, we have an About Us page and a Services page, which would translate to example.com/about-usand example.com/services.

A general rule is to scan the address and look for the first “/”. Now find the first “.” to the left if the “/”. Between the “.” and the “/” is the top-level domain. Reading backwards, the next word is the second-level domain (the place you are trying to go to – say Google or Facebook). If there is text before that, it is considered a subdomain.

Using that knowledge, if I were to switch things up a bit, you can still see example.com in the address, but it is no longer in the correct location and you would instead go to the blog.com website. This is a common trick that attackers attempt.

You will see addresses get much more complex than these examples. Domains can get quite lengthy and these illustrations are trying to provide knowledge without overwhelming. My best piece of advice is whenever you are in doubt or if something seems wrong, type in what you are looking for in a search page like Google and let them take you to the correct site. Also, many browsers will highlight the actual domain in the address bar and gray out the rest of the text in the address to help users see where they are going.

Trick 3

The third way attackers trick users is by switching out the top level domain. Remember from the beginning of this post that the top level domain for our example.comsite is .com. Other common top level domains (or TLDs) are .gov, .info, .edu and .net (not to mention country-specific TLDs and new generic TLDs like .ceo and .buzz). Under most circumstances, an organization does not own all the TLDs for their name and using a different one will take you to a very different site. If you go to example.infoyou will not land on the same sites as example.com. Attackers are banking on you not knowing the correct TLD when they send you fake addresses.

Let’s consider an apartment building as a physical comparison to domain names. The address of the apartment building is 301 Main Street (domain name). Within the building are 4 apartments (subdomains) which are named A, B, C and D; and each apartment has various people living in each apartment (paths/subpages). If you wanted to mail a letter to John Doe in apartment B you couldn’t merely address it to Apartment B or John Doe, you’d have to start with the main address, which is 301 Main Street and then add the more detailed address information.  Similarly, if you send the letter to John Smith in apartment B at 303 Main Street, the mail will not deliver to the correct location.

Verify BEFORE you click

If you want to be sure you are going to the right location, there are a few things you can do:

  1. Perform a search for the site you are looking for

Trying to get to the Example account login page? Type in “Example Login page” into your search bar and it will send you to the correct location.

  1. Conduct a search on the domain name you are unsure about

There are great sites like WhoIs.com where you can type or paste in the domain name and find out who it belongs to.

  1. Play it safe – don’t click on links
    Our best piece of advice is to always be leery of emails that ask you to click on a link that takes you to a website asking for credentials or any sort of private information. Don’t do it unless you are absolutely sure you know where you are going.

Want to get smarter?

Now that you are armed with a little more knowledge, check out this fantastic quiz on detecting phishing websites at OpenDNS.com (link to: https://www.opendns.com/phishing-quiz/). The quiz breaks down the attack methods listed above along with a few others that are being used against us.

Knowledge is power and the more knowledge you have the less power the attackers have.


Michelle Killian
Michelle’s experience as a business leader and master communicator uniquely position her as a highly-effective virtual CISO. Her ability to drive security initiatives that align with business needs and cultivate buy-in from all areas of her client organizations are well-renowned from our clients. Building strong, sustainable security programs and training are Michelle’s security passions.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *