Simple Domain Spoof

Just discovered that you can abuse the seldom-used @ syntax for passing user/pass combos into URLs to make your domain look to the untrained eye like it lives elsewhere than it does. e.g.:

http://www.nytimes.com@blog.birdhouse.org/

The browser simply ignores everything prior to the @ sign and carries on. Which means an unscrupulous soul can copy a template from any site, populate it with any content they like, and pass out a URL that will fool many viewers.

I’m not interested in doing this, mind you. Merely a technical curiosity.

2 Replies to “Simple Domain Spoof”

  1. This has been around for awhile, and of course the scammers were the first to use it.. Use one of these urls to spoof PayPal, create a “real target” that looks remarkably like the PayPal site asking someone to reconfirm their account information, get one or two noobs to bite, and voila: Instant Credit Card #s.

  2. plus Address, SSN, ATM Card# and PIN.

    I find it amazing that people still fall for it – the query for SSN and/or ATM PIN should raise all kinds of red flags.

Leave a Reply

Your email address will not be published.