On Neuroscience and Phishing Attacks

All kinds of fun facts bounce around the internet. You might have seen the one about contextual reading: It deson’t mttaer in waht oredr the ltteers in a wrod aepapr, you can sitll raed it wouthit pobelrm. See how this neuro-scientific peculiarity helps phishing criminals earn lots of money and what simple things you can do to protect yourself.

Why are URLs so important?

As I work in the URL detection team of Avira’s Protection Labs, you might not be surprised by me saying that URLs are a very important part of our daily lives. In ancient times, ten or fifteen years ago that is, data was shared through floppy disks, which were still in heavy use back then. (You know, the legacy industrial equipment that looks like the ‘Save’ button in your applications.) Times have changed and so has the industry. In today’s world, files are distributed over the Internet. File hosting services, like Dropbox and OneDrive, flourish like never before. The Internet actually consists of many subsystems like email, file sharing and the Word Wide Web. Also known as just the Web, the latter represents what you usually do in your browser: click on links, enter URLs in the browser bar, search the web; those are all examples of how you use URLs to access the Web.

What is a domain?

domain
Avira’s domain entered in a web browser

Domains exist because they are easier to remember than IP addresses (which domains point to). They operate pretty much like a phone book. You do not remember the phone number of a person to call, you look them up in the phone book. This establishes the connection between person and callable number. While you still have to enter the number yourself on the phone, your browser will take that burden off of you. So, when you enter www.wikipedia.org in your browser, it will look up and redirect you to the proper IP address of the web server that hosts the site. If you enter www.wikkepedia.org, you will not be redirected to the site you intended to visit but rather receive a browser warning, stating that the website does not exist – just like the well-known “The person you’ve called is temporarily not available” message you hear on the phone when you dial the wrong number.

Some typos are intentional

“Where does the neuroscience bit come into play?”, you might ask. Cyber criminals are able to register this domain and host advertisements. Once you accidentally enter the wrong URL, you will be redirected to this so-called typosquatted domain and thus will have accessed ads. This in turn generates money for the advertiser. Check out my other article about online advertisements for further information. The important thing to remember is, that this is possible not due to careless surfing. It works because the human brain operates with contextual sections.

Some just want to make a few bucks by registering a misspelled domain in order to sell it back to the brand owner. One could register www.citybank.com and sell it to www.citibank.com, as this is a common misspelling.

From Malware to Phishing

01_outbrowse_landing_page
Landing page of misspelled Wikipedia URL

Other unfair practices include redirection to potentially unwanted applications (abbreviated PUA). Your browser will typically show a warning about the state of your computer – telling you it might be infected, your drivers might be out of date or that you have won a million dollars. To give you a practical example: I found this software recommending driver updates for my computer while going through misspelled Wikipedia links (I omit the direct URL for obvious reasons). A click on “Installieren” (region-specific, as I am browsing from Germany), tries to install the software that I do not actually intend to have on my PC. Fortunately, I am one of the lucky people having Avira security products installed. The Web Protection kicks in and saves me from accidentally installing PUA on my PC.

What to do about it?

02_avira_detection
Avira detects potentially unwanted applications (PUA)

No antimalware solution will ever give you 100% security. They are considered to provide you with something in between base and enhanced detection of malicious software on your PC. Nowadays, those programs also include effective web protection like cloud-based scanning of URLs. Avira offers both traditional antimalware solutions and an unobtrusive browser plugin to protect you against most of it. However, you should never solely rely on software to protect you. It helps a lot to know about the risks. You just might look twice the next time. 😉

Resources and recommended reading

Breaking the Code: Why Yuor Barin Can Raed Tihs
Typosquatting
We knew the web was big…
How Big Is The Internet?
TypoSquatting – Malicious Domains Malware Domains

This post is also available in: German

My job is to assure that Avira delivers a world-class detection of web threats and URL-based scams to our customers. I oversee all URL-related topics, may it be the integration of URL Cloud into our products or the continuous evolvement of our backend services.Come and talk to me if you have questions about our systems or suggestions! I strive to improve until perfection is reached.