a magnifying glass with the word www on it

A Uniform Resource Locator (URL) is a fundamental concept of the web that serves as the address or location of a specific resource, such as a webpage, image, or file, on the internet. It acts as a unique identifier that allows users to access and retrieve resources hosted on web servers worldwide. A URL consists of several components, including a protocol, subdomain name, domain name and optional path, query parameters and other identifiers.  These are all combined to form a standardised format for specifying the precise location of online content. Understanding how URLs work is essential for navigating the web, sharing links, and ensuring online security.

Phishing scams often make use of the subdomain name to make a malicious link appear genuine.  For example:

https://netflix.accounts.com/account-verification might look genuine to a casual observer, but lets break this down:

Protocol

https://

Subdomain Name

netflix.

Domain Name

accounts

Top-Level Domain

.com

Path

/account-verification

In the example above, you can see that the actual registered domain name is ‘accounts.com’.  ‘netflix.com’ is registered to Netflix, Inc and cannot be used so the threat actor is using the ‘netflix’ subdomain to make it appear genuine.

Please continue reading below to find out more information on how URLs are made up:

Protocol

The protocol in a URL is a crucial component that specifies the rules and procedures for communication between a web browser and a web server. It defines how data is transmitted, the security measures employed and the actions required to establish a connection with a website.  Example protocols include:

  • HTTP: (Hypertext Transfer Protocol)
  • HTTPS: (Hypertext Transfer Protocol Secure) Often depicted with a padlock symbol. HTTPS indicates that the communication is encrypted using SSL/TLS protocols, ensuring data confidentiality and integrity
  • FTP: (File Transfer Protocol) for transferring files

Subdomain

Subdomains are prefixes that are added to the beginning of a domain name, separated by a dot. They are used to divide a website into different sections or categories. In a phishing email, attackers may create deceptive subdomains to mimic legitimate websites. For example, they might use “secure” or “login” as subdomains to make the phishing URL appear trustworthy, such as secure.example.com or login.example.com.

Domain Name

Domain names are the main part of a URL and are unique identifiers for websites. Phishers often create domain names that closely resemble popular or legitimate websites to deceive users. For instance, they could use variations like go0gle.com or paypa1.com instead of google.com or paypal.com to trick users into thinking they are visiting the authentic sites.

Top-Level Domains (TLDs)

TLDs are the last part of a domain name and represent the highest level in the domain hierarchy. Common TLDs include .com, .org, .net, and country-specific TLDs like .co.uk or .ca. Phishers may use TLDs that resemble the genuine ones to make their malicious URLs appear legitimate. For example, they might use .cm instead of .com, resulting in a URL like example.cm.

Path

Paths are used to organise content within a website. In a phishing email, attackers might include folder or file names in the URL to create a sense of legitimacy. They could add “/account” or “/login” to the URL to mimic the structure of a legitimate website, such as example.com/login or example.com/account.

In summary, when decoding URLs, focus on the domain name and TLD and ignore the rest!

Subdomain

ignore.

ignore-ignore.

Domain

website

website

TLD

.com

.org

Path

/ignore

/ignore-me