You are here

HomeJohn Lister › Google Tries Anti-Scam Tactic with Web Addresses

Google Tries Anti-Scam Tactic with Web Addresses

John Lister's picture
by John Lister on August, 17 2020 at 05:08PM EDT

Google is testing a new way of showing a web page address in the browser. It hopes that simply showing the domain name will make it easier for users to spot phishing scams - as already happens with some rival browsers.

At the moment most browsers will show the entire web page address (URL) in the address bar. That's the box near the top of the screen that has a dual purpose in most browsers: it shows the current page address but is also where users type in both addresses and search terms.

A study for Google looked at ways scammers can take advantage of the browser bar. One example was the website address "https://bank.com.acct.balanc.es.". At a quick glance, users could easily assume the page belonged to the organization which controls "bank.com" when in fact it belongs to whoever controls "balance.es".

In this hypothetical attack, the scammers would have registered the domain name "balance" on a Spanish registry to create what might look like the word "balances" at the end of a page address. The reference to "bank.com.acct" is purely a directory within the "balance.es" website and doesn't give any insight into the organization behind it.

Most Scam Sites Not Spotted

Google's study found that while people could correctly identify a site as being genuine from the website of address 93 percent of the time, they were only able to spot a misleading site in 40 percent of cases. (Source: googleapis.com)

Now a random set of users of Google Chrome Canary (a version of Chrome used for testing features before they go into the main browser edition) will not see the full website address by default. Instead, they will just see the actual main domain name (without any page details) and in some cases the registrable domain will be highlighted. In our example, that could mean the user's attention is drawn directly to "balance.es", with "bank.com" potentially hidden or downplayed.

New Policy Optional For Users

Users will still be able to see the full URL which includes directories within the domain, and the specific page details.

To do this they can either hover over the address bar to reveal it, or right click on the address bar to bring up a menu that includes an option to revert to showing the full URL by default. (Source: chromium.org)

One problem with the testing is that the type of people who use Chrome Canary may be more likely to pay close attentions to website addresses and domain mismatches in the first place. It could also be difficult to prevent scams with visually similar domains such as rnicrosoft.com (with the 'RN' forming an 'M' at the beginning of the word) instead of 'microsoft.com'.

What's Your Opinion?

Would you prefer to simply see the domain name rather than the full URL? Will highlighting the main part be helpful? Do you think you could reliably spot a fake webpage from its URL?

Filed under:
Security
| Tags:
page address
,
url
,
domain
,
bank
,
website
,
google
Rate this article: 
Average: 5 (7 votes)

Comments

doulosg's picture

Submitted by doulosg on Mon, 08/17/2020 - 18:48

This is basically the technique I use with email scams. I mouseover the sender-supplied name (like Infopackets Newsletter) and let the inbox show me the address. If it appears legit (like newsletter[ a t ]mailer.infopackets.com), I'll open the message. If it appears bogus or spoofed (like Andy.Whitfield.gp[ a t ]24-source-m-d.us), it gets deleted immediately.

But 1) I have to go looking for that, and 2) it could be easy to miss if the spoof is good or happens to be a close match. In an address field, highlighting the significant components would definitely be a reminder of how a URL is constructed.

So, would the spammers respond by lengthening their directory names so the real domains - highlighted or not - are hidden?

David's picture

Submitted by David on Tue, 08/18/2020 - 08:21

I would like to universally disable any and all searches from the address bar. If I type something into the address bar and it doesn't go to an actual site I do NOT want any sort of search performed for what the browser thinks I wanted. Yes, I'm 'old school', the more a 'feature' tries to be helpful the more I dislike it. If I want to search I'll use a search box. If I want to type an address I'll use the address bar. The two are NOT the same.

The most help I want is to have the browser resolve any 'tiny URL' type addresses and show me the actual destination and ask me if I really want to go to a site in Nigeria, India, or Afghanistan when I click a link supplied by my 'bank'.

jhgsub_13922's picture

Submitted by jhgsub_13922 on Tue, 08/18/2020 - 09:31

I would favor highlighting and add a half-space between letters to avoid the "rn" = "m" problem.

Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.