Author Topic: New Potential Scam Pitfall (Read 1378 times)

SuperFlyer · « **on:** March 26, 2024, 04:33:19 AM »

I just saw a new (to me) way that people can scam you:

A legit website, followed by @ then another site, it will go to the second one...
Example: https://google.com@t.ly/lUIOY

So usually it was enough to make sure that the beginning of the url is legit, but it seems no longer enough.

Maybe this has been around a while, but I've never come across it before.

argo · « **Reply #1 on:** March 26, 2024, 08:23:22 AM »

Like the link for the British airway flight giveaway?

SuperFlyer · « **Reply #2 on:** March 26, 2024, 08:24:59 AM »

Quote from: argo on March 26, 2024, 08:23:22 AM

Like the link for the British airway flight giveaway?

Well, a recent one yes,
Before it was something like www.britìshairways.com
Note: the second "i"

SuperFlyer · « **Reply #3 on:** March 26, 2024, 08:28:14 AM »

Seems like the link was broken

Quote from: SuperFlyer on March 26, 2024, 04:33:19 AM

Example: https://google.com@t.ly/lUIOY

yelped · « **Reply #4 on:** March 26, 2024, 10:28:52 AM »

Quote from: SuperFlyer on March 26, 2024, 04:33:19 AM

I just saw a new (to me) way that people can scam you:

A legit website, followed by @ then another site, it will go to the second one...
Example: https://google.com @T.ly/lUIOY

So usually it was enough to make sure that the beginning of the url is legit, but it seems no longer enough.

Maybe this has been around a while, but I've never come across it before.

That's because you always have to look at the TLD (top level domain). This is just another way of obfuscating the root domain. Just train yourself to always look to the left of the last period and ignore everything else following and preceding.

SuperFlyer · « **Reply #5 on:** March 26, 2024, 10:29:46 AM »

Quote from: yelped on March 26, 2024, 10:28:52 AM

That's because you always have to look at the TLD (top level domain). This is just another way of obfuscating the root domain. Just train yourself to always look to the left of the first period and ignore everything else following and preceding.

That was enough, UNTIL now, as I explained.
Click on the link I provided.

avromie7 · « **Reply #6 on:** March 26, 2024, 10:34:59 AM »

Quote from: yelped on March 26, 2024, 10:28:52 AM

That's because you always have to look at the TLD (top level domain). This is just another way of obfuscating the root domain. Just train yourself to always look to the left of the first period and ignore everything else following and preceding.

This is wrong. You need to look to the left and right of the last period before the /

SuperFlyer · « **Reply #7 on:** March 26, 2024, 10:40:56 AM »

Quote from: avromie7 on March 26, 2024, 10:34:59 AM

This is wrong. You need to look to the left and right of the last period before the /

The right ?
That could be hundreds of characters.
Make sure there is no @ after the /.

avromie7 · « **Reply #8 on:** March 26, 2024, 10:50:11 AM »

Quote from: SuperFlyer on March 26, 2024, 10:40:56 AM

The right ?
That could be hundreds of characters.
Make sure there is no @ after the /.

Incorrect. The first / is always the end of the domain. See my example URL below, this will go to a (non-existent) subdomain of google.com
Https://junk.junk.junk.more.junk.google.com/wastedspace@scam.com

SuperFlyer · « **Reply #9 on:** March 26, 2024, 10:52:22 AM »

Quote from: avromie7 on March 26, 2024, 10:50:11 AM

Incorrect. The first / is always the end of the domain. See my example URL below, this will go to a (non-existent) subdomain of google.com
Https://junk.junk.junk.more.junk.google.com/wastedspace@scam.com

It is what I'm saying.

AsherO · « **Reply #10 on:** March 26, 2024, 10:56:53 AM »

Quote from: SuperFlyer on March 26, 2024, 04:33:19 AM

I just saw a new (to me) way that people can scam you:

A legit website, followed by @ then another site, it will go to the second one...
Example: https://google.com @T.ly/lUIOY

So usually it was enough to make sure that the beginning of the url is legit, but it seems no longer enough.

Maybe this has been around a while, but I've never come across it before.

What is this @ in URL and why do browsers support it? What's the legit function for it?

ETA: Looks like it's a hack that hijack's the original intent (authority/credentials)

Euclid · « **Reply #11 on:** March 26, 2024, 10:57:28 AM »

Quote from: AsherO on March 26, 2024, 10:56:53 AM

What is this @ in URL and why do browsers support it? What's the legit function for it?

basic auth I guess?

AsherO · « **Reply #12 on:** March 26, 2024, 10:59:35 AM »

Quote from: Euclid on March 26, 2024, 10:57:28 AM

basic auth I guess?

That's what it looks like. Looks like they're using siteiwantyoutothinkyou'revisiting.com@malicioussite.com

yelped · « **Reply #13 on:** March 26, 2024, 11:01:01 AM »

Quote from: avromie7 on March 26, 2024, 10:34:59 AM

This is wrong. You need to look to the left and right of the last period before the /

Fixed was a typo. Meant the last.

SuperFlyer · « **Reply #14 on:** March 26, 2024, 11:03:59 AM »

Quote from: AsherO on March 26, 2024, 10:56:53 AM

What is this @ in URL and why do browsers support it? What's the legit function for it?

ETA: Looks like it's a hack that hijack's the original intent (authority/credentials)

I would think the same way Facebook would link in the following manner:
https://Facebook.com/send/?text=https%3A%2F%2Fwww.facebook.com%2FYechielRiva%2Fposts%2Fpfbid02gHtTxV2D9eeEF2yVULvTB1gKBoh1XRaRx8zV9HjBLRvN2tk3MhUxBhyJ9cxZZwijl&type=custom_url&app_absent=0