Mobile app version of vmapp.org
Login or Join
Kristi941

: Use of subname.example.com format in phishing I have noticed some phishing emails that copy format that Google or Gmail use in their URLs for account login or OAuth logins: https://accounts.google.com/

@Kristi941

Posted in: #Dns #Domains #Hyperlink #Phishing #Subdomain

I have noticed some phishing emails that copy format that Google or Gmail use in their URLs for account login or OAuth logins:
accounts.google.com/

I've seen URLs like
accounts.fishyname.google.asdf.com

but I don't remember the exact layout of the fake URL, but it was similar to that.

Q: Is there a general rule to follow to be sure that it's the actual site you think it is, e.g. Google?

I know it should have the secure (lock) symbol, but what about the layout of the URL part?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Kristi941

1 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

accounts.fishyname.google.asdf.com


You do need to have some knowledge of URL/domain structure in order to assess whether this is the real deal or not just by looking at it. In this case the domain is clearly asdf.com - which is obviously not Google.

As you mentioned in comments, the "hierarchy" is right to left. .com is the top-level-domain (TLD) under which anyone can register a domain name. Once someone has registered a domain then they can create any number of (suspicious looking) subdomains for that domain they like (as in your example). Your example shows 3 additional subdomains: accounts.fishyname.google.

If you look up asdf.com in a WhoIs database then it will report the registered owner of that domain (although this could be protected with a private registration service).

You also have to be careful of domains which might look very similar to the real thing - due to the use of unicode lettering. See IDN homograph attack (Wikipedia). For instance, there was a recent case where a Russian spammer registered ɢoogle.com (that's a small-cap G, not g at the beginning) to try to dupe the unwary. Reference: www.bleepingcomputer.com/news/security/russian-spammer-uses-fake-google-domain-to-tell-webmasters-to-vote-trump/

I know it should have the secure (lock) symbol


Simply having the lock symbol (ie. HTTPS) doesn't tell you anything about who you are connecting to. You might simply be connecting to a malicious website... securely!

Only if the SSL cert is an extended validation certificate (the green bar in the address bar) and you take the time to check the name, can you be sure who you are connecting to.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme