COEN 152 Computer Forensics

URL Obscuring

Internet based fraud is gaining quickly in importance. Perpetrators can hide web-servers in three different ways: (1) by obscuring, (2) at the host, (3) and via the network. In the first mode, perpetrators can use some less understood features of universal resource allocators (URL) to guide their victims to their own website, typically to fill out form with data useful for identity theft. Secondly, it is possible to hide the host of a web service, and thirdly, a perpetrator can use networking protocols to hide a service.

1. URL Basics

A universal resource locator consists typically of three parts: the service, the address of the server, and the location of the resource. For example, this web page (at the time of writing) was located at

http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

The first part (http://) indicates hyper text transfer protocol, the second (www.cse.scu.edu) is the server, and the rest of the string is the location of the page on the server. To tag this string as a URL, we should even prefix it with "URL:" The actual URL syntax is more complicated than this and contains optional components:

  1. The first element is the scheme, followed by a colon and a double forward slash.

  2. An optional user name and password after the service field. The password (if present) follows the user name, separated from it by a colon, both are followed by the "at" sign. For example

    http://tschwarz:fiddlesticks@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

    inserts a user name (tschwarz) and the user's password (fiddlesticks). If the service does not require a password, then the portion between the double slashes and the "at" is ignored.

  3. The internet domain name in RCF1037 format or the IP address as a set of four decimal digits.

  4. An optional port number can be inserted between the internet domain name after a colon. The port number is in decimal notation.

  5. The rest of the locator is the path. The path may define details of how the client should communicate with the server. This includes information to be passed transparently to the server without any processing by the client.

The URL scheme also allows for the encoding of characters, e.g. because the characters belong to a non-supported language or are control characters. This is done by using the percentage symbol % followed by two hexadecimal digits giving the ASCI value of the character.

2. Criminal Use of URL Obscuring

A large class of internet-based fraud steals personal data by enticing a victim to give out this data. Typically, the victim is made to believe that (s)he is giving this data to a reputable organization. A typical fraud would invite potential victims by email to go to a web-site that belongs to the reputable organization. Using any of the tools available to obscure URLs, the victim is instead guided to a website belonging to the criminals. Since we can copy web pages, it is easy to alter a genuine web page and provide a link to another page that actually gathers the data. In a well-organized fraud, the website leaves no links to the criminals.

The second large class of internet-based crime is the selling of child pornography. Using the port-number or the user-password field, a child pornography site can hide behind a legitimate pornography site. Of course, a pornography site can also contain methods to navigate to a criminal site.

Phishing

Phishing uses spoofed email to lure victims to fake web pages, usually for purposes of identity theft. A successful phishing attack needs to fool its victims twice, first, that the email and the link are legitimate, and second, that the website is correct. Phishing is successful if only a small percentage of targets falls victim to the scam.

See Antiphishing Working Group Website.

3. Obscuring URL Addresses

A somewhat simplistic method to deceive a victim employs the embedding of URLs in other documents. Microsoft in particular has sponsored the idea of seamingless computing where programs embed data in other data, but this has not only opened up security problems (opening an email triggers the running of programs embedded into the email), but it can also be used for fraud. For example, a word document might contain a URL. Clicking on the URL brings the reader to the website. Since word allows us to change font color, part of a URL can be visible, others not. For example, the URL of the fraudulent site is

http://www.usfca.edu@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

The portion between the double slashes and the @ sign are of course disregarded. If we put this string into a word document and use a white font for the tail of the string starting with the @, then we give the impression of a false URL, namely the site of the University of San Francisco. An investigator of internet fraud obviously should make a forensics examination on the victims machine if there is a possibility to find the true URL.

Obscuring the URL to deceive a victim about the true address of the website is fairly easy, thanks to the user-password field and the possibility to encode the actual name of the site in ASCI (or other codes). Assume that the fraudulent site is www.scu.edu. Its IP address is 129.210.2.1, or 129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 . Thus, the criminal wants to entice the victim to visit the website http://2178023937. This is a perfectly legal address. To hide this, the criminal puts in some bogus password data:

http://www.usfca.edu@2178023937

This will not work when put into the latest IE browser, but it works as a link.

However, this version will work

http://www.usfca.edu@129.210.2.1

To hide this, we can use the ASCI encoding of the @ character, as in

http://www.usfca.edu%40129.210.2.1

Very few users are sophisticated and alert enough to spot this as a suspicious URL that does not go to the USF website. The criminal can also use ASCI encoding to break up the name, as in

http://www.usfca.edu%40%127%167w.scu.edu

which again might not work from a browser. Here, we used only two ASCII characters to hide parts of the name.

4. Using HTML or Active Page Technology

A wave of phishing attacks sends out spam with the following message / or similar message.

The whole text is an image, not just the link. If a mouse hovers over it, it will even display the legitimate URL in the tooltip and the statusbar. That's because the image is indeed linked to the legitimate URL of citibank's online operation. But the whole image is surrounded by an HTML rectangle box, to which the phishers have linked the fraudulent webpage. The URL of that webpage is even encoded, so that just looking at the HTML source code does not reveal directly the real URL; a typical link is http://%34%2E%33%34%2E%31%39%35%2E%34%31:%34%39%30%33/%6C/%69%6E%64%65%78%2E%68%74%6D.

Similar tricks can be used to deceive the victim when he has reached the target webpage. The visa phish from Sept. 30, 2004 has a webpage that overwrites the address bar with another window that has a different URL address in it.

As you can see, phishers are creating websites that are undistinguishable from real websites and they can create links that hide the true URLs. Ultimately, the solution to phishing is to have authenticated email. In the meantime, not using links embedded in email and documents is the best protection against falling victim to phishing expeditions.

See Antiphishing Working Group Website.

5. Hiding Hosts

The "Hosts" file in Windows and other operating systems is used to associate host names with IP addresses. The OS first checks the hosts file on the local computer in order to resolve a human readable address such as www.cse.scu.edu to its IP address, 129.210.17.215 in our case. Only after that will the OS contact the Domain Name Server (DNS) in order to obtain the correct IP address.

The hosts file exists in order to avoid costly DNS services. It can also be used to block certain sites by associating their name with the local host address of 127.0.0.1. This technique blocks calls to advertisement sites or to tracking sites. You can look at the host file on various computers:

Operating System
Location
Linux
/etc/hosts
Windows 95/98/Me
c:\windows\hosts
Windows NT/2000/XP Pro
c:\winnt\system32\drivers\etc\hosts
Windows XP Home
c:\windows\system32\drivers\etc\hosts

Table 1: Location of hosts file for various OS.

A criminal who gains administrator privileges on a system can change the host file to associate an address with an arbitrary website. An investigator is well advised to check the hosts file In case of internet fraud, especially one committed on a publicly accessible machine.

6. Subverting IP Look-UP

DNS Server Sabotage: There have been successful attacks on DNS servers. Even more disconcerting is the fact that a machine can advertise itself as a DNS server on a network and find customers. This allows the perpetrator to redirect innocuous request to a website of his choosing.

IP Forwarding: A number of commercial services (free DNS, MyID.ca) exists that forward requests to another web-address. Depending on the logging provided at these sites, it might be difficult to trace transactions that happened more than a month ago.

Port Forwarding: Since URL allow the specification of the port, and since services running on a machine are free to associate with any port address they choose, it is possible to run a legitimate business ("normal adult pornography") as a web-server on the default port and an illegal business ("child pornography") on a different port. Screen clicks are another way to guide the criminal user to the illegal site by clicking on a feature as small as a single pixel. If programmed in straight html, these features are easy to find; the investigator merely has to look at the source code. However, if scripts are used, then the code needs to be scanned. Finally, password screens allow the criminal to direct access to the illegal site based on the username or the password entered.

Additional Resources

W3 Resources
©2004 Thomas Schwarz, S.J., COEN, SCU SCU COEN COEN252 T. Schwarz