Thursday
Dec172009

Phishing - Mask URL's 

I recently uncovered a trick to mask the true location of URL's - relatively old, but new to me:  BASE10 Addresses.

I would think this is great for phishing attacks or getting colleagues to inadvertantly click on work inappropriate hyperlinks.

For the sake of argument let's assume that www.microsoft.com is a link to a *really* ghastly, inappropriate site and/or a site that I've set up to mimic the look and feel of a familiar site that I want you to input your credit card information into.  (When in fact it's the home page of the manufacturer of the most popular browser on the planet.)

If you hover over a hyperlink in an e-mail message a tooltip usually reveals the underlying address.  Most users are tech savvy enough not to click on the link when the tooltip reveals a URL that is obviously inappropriate, but what if you could mask the link (e.g. with a tinyurl address, or IP address)?

So if I wanted someone to navigate to a very inappropriate site without them immediately knowing I'd instead send them a link to this:

1094129146

Try it.  Paste it into your address bar and you'll arive at www.microsoft.com.  Why?

Well first ping www.microsoft.com - don't forget to include the "www".  The IP address it resolves to will work in your browser's address field.  "1094129146" is simply a different format of it.

An IP address is separated by periods into four numbers between 0 and 255 called octets (so there are 256 total possible values). 

Take the first octet of the IP address and multiply it by 256 to the third power.  Add your result to second octet multiplied by 256 to the second power then add this result to the value of the third octect multipled by 256.  Take this result and add it to the value of the fourth octet.

Let's say your IP address is a.b.c.d then your formula for finding the BASE10 address would be (a*256^3)+(b*256^2)+(c*256)+(d).

So, again, assuming that www.microsoft.com is a highly inappropriate or harmful link, I can now send an e-mail with the subject Check This Out!  OMG!!11!!! which contains the link to 1094129146 - which as we now know is really www.microsoft.com.

But that's not all:

Let's say I sent a link out in the e-mail like this:  http://www.cnn.com@1094129146.

Now...this will not work in IE8, but now try it on Chrome.  Chrome effectively ignores everything in the URL preceeding the @ character.  So it will take you to www.microsoft.com despite the leading http://www.cnn.com in the address

I plan on sending all my colleagues who swear by Chrome an e-mail tomorrow.  Something with the subject Check This Out!  OMG!!11!!!...perhaps a message body of Microsoft buys Google! and the link:  http://www.google.com@1094129146