Phishing - Mask URL's with ASCII

So let's say you want to send out an e-mail with a link to a nefarious/work-inappropriate site without it being blatantly obvious to the recipient.  Or let's say you're a bottom feeder of the world and want to target hard-working people with a "phishing" e-mail. 

First let's assume the page is a truly evil page.  Perhaps it's an .html mock-up of a popular site's login page (or credit card payment screen), but when users input information into the the fields it doesn't log them in or fulfill their purchase as they expect. It could do any number of things with the data they've revealed - perhaps  e-mailing the site administrator the sensitive data they've just entered into the site.

A lot of recipients nowadays are too tech savvy to simply click on a link to  Maybe they're clever and hover over the link in the e-mail to see where it's really leading them.  Enter the ASCII character set.

Send them a link to this:


Go ahead and paste it into the address field of your browser window and it'll bring you to my humble corner of the Internet.  Why?

First a note about ASCII.  ASCII is a numerical code for which the numbers represent basic characters and is widely used in the United States.  Because it ranges from 0 to 127 the character can be stored in seven bits.  Google "ASCII character table" and you'll get an abundance of responses so I won't replicate efforts here.

Feeding these bits into a browser will bring your unsuspecting user to the same as if they had fed this into the address field on their browser to begin with.

If you're not keeping up here's the key:

Again - look to Google to get the complete ASCII table.

If it's a .com domain you could probably get there without the three leading and three trailing characters.

Phishing e-mails leverage this tactic to mask one or more characters in the insidious URL they're trying to get us to click on.  Combine this with the @ sign vulernability in my other phishing post and you could really fool someone into going to an unsafe or inappropriate page.