Common Visual Deceptions in Phishing URL Composition

Dave Piscitello

Phishers take advantage of common user behavior. They know that people often see what they want to read rather than what appears in a message or hyperlink. They know that our brains correct misspellings, that our brains are selectively attentive (we often overlook repeated words), or that we may not read scrupulously “beginning to end” once we encounter the word, name or string that we expect.

Visual deception in phishing attacks is more present today than many care to admit. Phishing campaigns, for example, the recent Unpaid Toll Scams, employ visual deception. The phishers included visually similar strings in URLs such as ezpass or ezdrive as well as the official E-ZPass to dupe text or email recipients, but they could (and may) use ezp-ass, e-z-pass, or expasss with similar successes.

Phishers use other visual deceptions as well. For example, phishers will mimic URLs that web content management systems dynamically create. Below is a URL that Squarespace.com creates for one of our Interisle reports:

https://static1.squarespace.com/static/63dbf2b9075aa2535887e365/t/67448fb0ca887f100bc60f4e/1732546482023/CybercrimeSupplyChain2024.pdf

This conforms to the standards for URL composition:

• https:// is the scheme or protocol

• /static1.squarespace.com is the hostname

• /static1 is part of the URL path (a subdirectory where Squarespace stores images and files)

• /63dbf2b9075aa2535887e365/t/67448fb0ca887f100bc60f4e/1732546482023/ is systematically generated by Squarespace’s content management system

• /CybercrimeSupplyChain2024.pdf is a PDF version of our report

Phishers mimic URLs that web content management systems generate dynamically, for example:

https://bankofpennsyltucky.com.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.jmlt.top/727b219497204cedb818ed9a818cee8b/Login.php

The phisher has included the string “86a4261d849a6e99b3c3a38f7585e3c7d4a91823”. This is meaningless to the average user, who have become desensitized to unreadable strings. BUT… such users will often fail to note that as part of the “path” the string should be separated from the host name by a slash not a period.

By using a period instead of a slash, the phisher has also created a deceptive host name:

bankofpennsyltucky.com.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.jmlt.top

Many users will read no further than bankofpennsyltucky.com and will click the URL to visit this banking login page. But the registered domain name in this hostname is jmlt.top. The strings to the left of jmit.top

• Bankofpennsyltucky

• Com

• 86a4261d849a6e99b3c3a38f7585e3c7d4a91823

are subdomains created by the phisher. But by including the “brand” (here, a fictitious Bank of Pennnsyltucky)) and the largest and most recognizable TLD (.COM), the phisher has created a formidable deception.

What should you take away from this decomposition of a phishing URL?

• Deceptions remain a common phisher convention.

• Visual deception - strings that look like a brand or recognizable Top-level Domain - remain popular.

• Phishers obfuscate URLs; often, phishers mimic content delivery systems to generate "messy URLs" to deceive you (and to defeat antispam measures).

And the lessons to learn?

• Read the entire URL.

• Read what is displayed, not what you expect to be displayed.

• Become familiar with the components and syntax of URLs: pay attention to periods and slashes.

• Resist the temptation to stop reading once you've encountered a brand or familiar string of characters in URLs.

These lessons apply when users can see URLs, but what can users do with QR codes or shortened links?

• If present, use your mobile phone camera’s domain preview feature.

• Use a QR Scanner app or web service that previews the URL and asks you to confirm before it redirects you to the web page. Examine the URL as I recommend above.

• Use shortened URL checkers or link expander services,

Be safe.