: Use of subname.example.com format in phishing I have noticed some phishing emails that copy format that Google or Gmail use in their URLs for account login or OAuth logins: https://accounts.google.com/

@Alves908

accounts.fishyname.google.asdf.com


You do need to have some knowledge of URL/domain structure in order to assess whether this is the real deal or not just by looking at it. In this case the domain is clearly asdf.com - which is obviously not Google.

As you mentioned in comments, the "hierarchy" is right to left. .com is the top-level-domain (TLD) under which anyone can register a domain name. Once someone has registered a domain then they can create any number of (suspicious looking) subdomains for that domain they like (as in your example). Your example shows 3 additional subdomains: accounts.fishyname.google.

If you look up asdf.com in a WhoIs database then it will report the registered owner of that domain (although this could be protected with a private registration service).

You also have to be careful of domains which might look very similar to the real thing - due to the use of unicode lettering. See IDN homograph attack (Wikipedia). For instance, there was a recent case where a Russian spammer registered ɢoogle.com (that's a small-cap G, not g at the beginning) to try to dupe the unwary. Reference: www.bleepingcomputer.com/news/security/russian-spammer-uses-fake-google-domain-to-tell-webmasters-to-vote-trump/

I know it should have the secure (lock) symbol


Simply having the lock symbol (ie. HTTPS) doesn't tell you anything about who you are connecting to. You might simply be connecting to a malicious website... securely!

Only if the SSL cert is an extended validation certificate (the green bar in the address bar) and you take the time to check the name, can you be sure who you are connecting to.

Vote Up Vote Down