URL Hiding - new method of URL Spoofing attacks

22:48 03.08.2009

This is English version of my URL Hiding - new method of URL Spoofing attacks article.

In continue of my researches of vulnerabilities in search engines, I tell you about new interesting method of URL Spoofing attacks, which I called URL Hiding. It can be used for conducting of fishing attacks and for spreading of malware (particularly it can be used with previously described methods). This URL Hiding attack I found in Google, but other search engines also can be vulnerable.

This month, 19.05.2009, during searching in Google, I found interesting site, which not shows its URL in serp. I saw such sites earlier during using of Google (from 2000), but it’s first site which address I wrote down. This site is http://_-lilit-_.photosight.ru.

site:_-lilit-_.photosight.ru

In case when URL Hiding is using together with URL Spoofing methods, which I wrote about earlier (when long URL is made, e.g. with using of “_” char), then it improves the effectiveness of fishing and others attacks. Because long and suspicious URL will not be shown in serp of search engine, and when user will go by the link, then he can to not notice the URL (via using of URL Spoofing methods).

As I thought first, when using of underscore (like in case of http://_-lilit-_.photosight.ru), Google will not show address in serp at all. But there is no such effect in case of http://ane4ka-_.shalala.ru. Potentially it works only in case, if first char of domain is underscore.

I made a lot of researches when I was looking for sites with underscores, which hasn’t URL in serp, but didn’t find any such sites (but found one interesting bug in Google). So method of attack on Google for hiding of address of sites in serp can use this (with underscore at the beginning of domain), or other approach. But in any case URL Hiding attack is dangerous, because it allows to use search engines (Google in particular) for conducting of fishing and other attacks.


Leave a Reply

You must be logged in to post a comment.