URL Hijacking – CompTIA Security+ SY0-401: 3.2

One way to redirect your browsing activity is to force you to a site that you weren’t intending to visit. In this video, you’ll learn the techniques used to hijack URLs.

<< Previous Video: Password AttacksNext: Watering Hole Attack >>

A URL hijack is when you think you’re going to one website and you end up going to a completely different one. And the URLs may look very similar or they actually might be very different. This hijacking can take place through a number of different mechanisms that we’ll talk about in a moment.

The reason these hijacks take place is primarily money. If they can redirect your eyeballs to a site they own then the bad guys can make money off of a mistake that you happened to make when you were typing in a URL or when your URL was redirected to their website. There is a questionable market for badly spelled domain names.

These badly spelled domain names may end up gathering a lot of people to a site. And the owner of the badly spelled domain can go to the actual spelled domain owner and ask them if they would like to buy that domain since a lot of their legitimate users are ending up on this third party site. Wouldn’t it be better, Mr. Business Owner, if they ended up on your site to begin with and all you’d have to do is pay me money for that particularly badly misspelled domain name?

Sometimes these badly spelled domain names can be used to redirect people from one particular website to a competitor’s website. This, obviously, has a number of legal issues associated with it. When this has occurred in the past there has been a lot of legal courtroom work being done. And it usually ends up with that domain name being corrected so that it does not point to a competitor. But obviously, this is not something that is good for anybody while this redirection is going on.

Sometimes it’s done for a phishing. Somebody wants your username and password. They’re going to redirect you to a site that looks very much like your bank’s website. Or it looks just like PayPal’s site.

And you put in your username and password, and now they have your login credentials. And they’ll go to your real bank account or your real Paypal account, and then they’ll move money into their account. So this may not be something that’s just an annoyance or somebody trying to make advertising money. This could be someone trying to get to your personal data, your personal information, or your bank accounts.

Sometimes you become infected with malware that will take your legitimate URLs and redirect you to a different website. We often refer to this as browser hijacking, but it’s the same type of idea where they’ll take a legitimate URL and either put their ads around it or redirect you to a completely different side altogether.

This type of URL hijacking that takes advantage of a badly spelled name is often called typosquatting or brandjacking. And it doesn’t have to be a very obvious misspelling. It could be something that’s very minor in the misspelling. And it may be something that a lot of people do.

For instance, professormesser.com versus professermesser.com. At first glance, they even look identical on the screen, but you’ll notice professor in this case spelled with an o. Professor in this case spelled with an e. And obviously, you can find somebody who might misspell that when they’re typing it in and they’ll end up on the wrong website.

Maybe it’s somebody who’s just trying to type the name in legitimately, but they make a spelling error, like professormeser.com. This is where they miss an S somewhere in there, and they end up on a third party website instead of the site they were originally planning to go. Or maybe the bad guys would just like to use a completely different phrase. Maybe you think my website is professormessers.com. so they’ll add an S to the end or they’ll try to find a derivative of the name and also have that go to a third party site.

Then maybe a case where they use exactly the same name, but they use instead a different top level domain name. You see this most often if somebody owns a .org or a .net. The bad guys will get the .com version of that since that tends to be more popular. And instead of going to the site you think you’re going to, you’ll end up on the bad guy’s third party site.

These URLs hijacks should be something we’re always looking out for, especially if we’re planning to add private information or financial information to a website.