Dodgy .ac.uk Web Sites

No, we not talking about real .ac.uk web sites but fake ones. We have recently been alerted to the activities of a certain well-known attacker (the “Silent Librarian”), and whilst processing it I noticed something it might be helpful to more widely publicise.

The location bar of your browser (or the pop-up that appears when you “hover” over a link in an email) can be a useful source of information on how trustworthy a site is :-

This web site address (it currently gives an error if you happen to try and visit it) has nothing to do with the port.ac.uk address (the university!) although it contains it. A certain number of “fake” web sites used by the previously mentioned attacker are set up like this – the address of a well-known .ac.uk institution with a different domain at the top.

A brief aside on domains: Domains are the wrong way around – for a domain such as port.ac.uk, the most significant part is on the right – the UK, followed by the “ac” (for academic) and finally “port” (for us). Bits added to the right are more significant than the bits at the left.

If I were to register touche.me I could easily create a registration for port.ac.uk.touche.me and point it to a web site not under control of the university. And that is what this attacker is doing.

So when you visit web sites, it is always worth double-checking the location bar to check that the domain is what you expect it to be. And doesn’t look like a legitimate site but in fact it is only legitimate on the left-side.

This entry was posted in Active Attacks and tagged , . Bookmark the permalink.

Leave a Reply