Link based tricks are commonly played upon as they are relatively easy to execute. It has been noticed that these kind of phishing attacks were extensively executed when this Internet threat was in its infancy stage.

Given below is a list of some of such tricks with appropriate examples explaining how an attacker can use such links to trick the end user:

Using Strings – Uses a credible sounding text string within the URLExample: http://XX.XX.43.102/ebay/account_update/now.phpNote : First two octates of the IP address have been hidden due to security reasons. However in a real time scenario this will point towards a webserver hosting a fake login screen for your Ebay account.

Using @ sign - This kind of syntax is normally used for websites that require some authentication, However hackers make use of this syntax to trick victims to visit a fake login page. This works on a simple concept where in the content on the left side of @ sign is ignored and the domain name or IP address on the right side of the @ sign is treated as the legitimate domain.
Example: http://www.citybank.com/update.pl@xx.xx.43.102/usb/upd.pl

Status Bar Tricks- The URL is so long that it can not be completely displayed in the status bar – Often combined with the @ so that the fraudulent URL is at the end and not displayed thus the victim takes it as a legitimate host and gives away his confidential info!
Example:

http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&usersoption=

SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.html

Similar Name Tricks- These kind of tricks use a credible sounding, but fraudulent, domain name. These kind of tricks have been often used by attackers gaining a psychological advantage over the victim
Example : http://www.ebay-support.com/verify , http://www.citybank-secure.com/login

URL Encoding Tricks: These kind of tricks are used to Encode the URL or portions of the URL to disguise its true value using hex, dword, or octal encoding. Often combined with the @ which can also be disguised as well
Example: http://www.visa.com@%32%32%30%2E%36%38%2E%32%31%34%2E%32%31 %33, which translates into 220.68.214.213.

HTML Image Mapping Tricks : The URL is actually a part of an image, which uses map coordinates to define the click area and the real URL, with the Fake URL from the <A> tag being displayed. Here is a small code that can easily help you achieve the same-:

<html>
<head>
<title>Image maping explained</title>
</head>
<body>
<img src=”file:///D:/IMAGE.jpg” width=”390″ height=”176″ border=”0″ usemap=”#Map”>
<map name=”Map”>
<area shape=”rect” coords=”146,50,300,84″ href=”http://Hackerssite.com”>
</map></body>
</html>

Note: href=”http://Hackerssite.com” —> As soon as the uninformed victim clicks any where on the image he is taken to the webserver hosting a fake login page.”Easy yet effective” – a real time phishing attack demonstrated.

URL as button Trick : The displayed URL is contained in the text description of a Form Button. The Button itself is formatted to match the email background so that only the Button text shows. Since it s a Form statement the Fake URL does not display in the status bar of the email client. However when you bring the mouse over the button the attacker uses the mouse over HTML tag to forge the link displayed in the status bar.

URL Redirection Tricks : Uses the redirection capability of a known provider to send the user to the Phishing site. – Redirection is used by many larger sites like Yahoo, MSN, & Citibank. – Example: http://r.aol.com/cgi/redir?http://www.ebay_secure.info/update_user

Double Redirect Tricks - Combines the simple redirect method with a URL Masking service such as cjb.net or tinyurl.com .The Masking service assigns the user an alias for their URL.

Example: http://r.aol.com/cgi/redir?http://jne9rrfj4.CjB.neT/?uudzQYRgY1GNEn
First sends to: http://r.aol.com/cgi/ and then
Redirected to: http://jne9rrfj4.CjB.neT/?uudzQYRgY1GNEn (cjb.net)
Redirected to: Intended site through cjb.net redirection service
The actual URL is stored at cjb.net and is accessed through the cjb.net alias.

Source:Content Verification

URL Encryptor:Click

Tags: phishing, url manipulation, URL masking, URL obfuscation