Interesting URL Schema Abuse Patterns (Merry Phishmas)

- taking a known public IP
- converting that address to decimal. 
  (a calculator I found that works can be found here https://www.ipaddressguide.com/ip) 
- pasting the number in your browser's address bar after `http:`

I was able to find this decimal number by pinging google and using the IP address in the linked calculator site.

Another interesting feature of the schema and the other half of the technique behind the structure of the phishing links that I will demonstrate at the end of this post is that the  @ symbols parse with everything to the left of them as user names used for basic auth which may just be ignored if it’s not implemented at the web site the user is eventually brought to. For example a link like this http://definitely_not_google_dot_com@2398793732 will still take you to the google search landing page.

Where you can really make some convincing phish links with what we know so far is in applications that interpret unicode. For the example we’ll look at in this post, we’ll make use of the math symbol for division ∕ you can get a copy of it in your clip board and read about it’s purpose on this unicode wiki https://codepoints.net/U+2215

which actually looks like a link to a twitter post but it will actually take the victim to the google search page interpreting twitter.com∕john_stevens∕status∕ as a long user name.

The post Interesting URL Schema Abuse Patterns (Merry Phishmas) appeared first on SOC Prime.