We're all human. Which, for better or worse, means that we are far from perfect. Now we can look at that one of two ways: Accepting the way things are and have always been becoming content with the status quo. Or striving to always improve and better ourselves through knowledge and self-discipline. You may be asking, "When did this become a philosophy class on self-improvement?" And my answer would be when the bad guys out there became so good at successfully phishing off of our human error.
Now, in my years of doing security awareness training, I’ve always taught users to hover over links embedded in emails before clicking on them. When hovered over, links show their true destination, and users could then see if a link is taking them to the real website, or a fraudulent one. Unfortunately, criminals are improving their skills which means we must do the same.
It’s a great start to detect these fraudulent links and avoid phishing emails, which we all know, contributes to over 40% of the malware distribution on the Internet today, But maybe we need to rewind and review what a fraudulent link even looks like.
I mean, what good is looking at the link before you click, if you can’t accurately determine where it will actually take you?
Phishing artists are getting especially good at crafting fraudulent emails, and that includes creating believable, complicated domains and sub-domains that can be tricky to sort out. Because of these complexities, it takes some training at all levels of an organization to hone in this skill.
So, how do you spot a bad URL?
My recommended method is to find the domain of the web address as an assessment of the link’s validity. This will tell you if the link is taking you to the right website, or something entirely different.
This simple set of rules is an easy way to disassemble complex URLs and web addresses to determine its’ domain:
- Remove the http(s)://
- Find the last “.” before the first “/”
- The domain is the text directly before and after that “.”
- Include “-“ and “_” in the domain, they are not separators
- Assume a “/” at the end if one is not present
Let’s try it out on the address below:
https://members.citicards.com.relay4.net/account/balance.php
- Remove the http(s)://
https://members.citicards.com.relay4.net/account/balance.php
- Find the last “.” before the first “/”
https://members.citicards.com.relay4.net/account/balance.php
- The domain is the text directly before and after that “.”
https://members.citicards.com.relay4.net/account/balance.php
This appears to be a fraudulent URL.
And one more:
https://login.account_chase.com
- Remove the http(s)://
https://login.account_chase.com
- Find the last “.” before the first “/” (Remember: Assume a “/” at the end if one is not present)
https://login.account_chase.com/
- The domain is the text directly before and after that “.”
https://login.account_chase.com/
Wait, that’s not right...
- Remember: Include “-“ and “_” in the domain, they are not separators
https://login.account_chase.com/
This appears to be a fraudulent address also.
I hope you find this set of rules helpful. With a little practice, it will become second nature. Here are a few samples you can try on your own:
http://products.shop2win.us/amazon.com
https://drive.google.com/this_could_be_malicious.docx
http://hotmail.com.user-mail.ru/login
https://onlinebanking.mybank.com/887564433/user/login.aspx
If you feel like your workplace needs more practice in the matter consider upping your phishing testing and training. Over the years we have begun administering phishing training for many of our clients, not just once a year or on a quarterly basis, but continuously on a monthly basis. This has resulted in significant improvements in "click-rates" which makes all the difference. We recommend that you incorporate monthly testing and training into your information security program and see the results for yourself.
If this is something you'd be interested in but don't know where to start just email us at support@bedelsecurity.com. We administer testing and training and provide reports that can be passed along to the board, examiners, and auditors alike.