{
	"id": "52eb2621-b936-46b2-977d-7649923c5b6f",
	"created_at": "2026-04-06T00:16:30.379562Z",
	"updated_at": "2026-04-10T13:12:00.561717Z",
	"deleted_at": null,
	"sha1_hash": "9b4907fd12590adc30c641c31d0ff439f3b0ff41",
	"title": "How cybercriminals disguise URLs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40205,
	"plain_text": "How cybercriminals disguise URLs\r\nBy Roman Dedenok\r\nPublished: 2023-12-12 · Archived: 2026-04-05 22:53:21 UTC\r\nCorporate information security specialists usually know quite a few confident employees who say that they don’t\r\nclick on dangerous links and are therefore not susceptible to cyberthreats. Sometimes those employees use this\r\nargument when asking to have corporate security measures turned off, which somehow interfere with work. But\r\nattackers often disguise malicious and phishing links, trying to confuse both mail filters and human observers.\r\nWhat they want is to make victims (even if they are examining URLs as we repeatedly advise) click on an address\r\nthat actually takes them to a different one. Here are the most common methods used by cybercriminals to hide\r\nmalicious or phishing URLs.\r\nAn @ symbol in the address\r\nThe simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely\r\nlegitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to\r\npass credentials to the web server via the URL simply by using login:password@domain.com format. If the data\r\nbefore the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the\r\nuser to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page\r\nname, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at\r\nour blog’s address disguised in this way:\r\nIt looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will\r\ntake you to http://kaspersky.com/blog/.\r\nNumbers instead of the IP address\r\nIn the previous method, attackers often try to confuse the user with a long page name in order to distract them\r\nfrom the real address — because it still remains in the URL. But there’s a way to hide it completely — by\r\nconverting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored\r\nin databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are\r\nmuch more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL\r\nthey automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the\r\nreal domain. This is how a link to our corporate website can look like:\r\nIn using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything\r\nelse look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into\r\nweb links.\r\nURL shortener services\r\nhttps://www.kaspersky.com/blog/malicious-redirect-methods/50045/\r\nPage 1 of 2\n\nAnother fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can\r\ninclude absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.\r\nGoogle Accelerated Mobile Pages\r\nSeveral years ago, Google and some partners created the Google AMP framework — a service that was intended\r\nto help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a\r\nsecond and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this\r\nmechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it,\r\nthey’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick:\r\ndue to Google’s reputation, they consider such a link to be sufficiently reliable.\r\nEmail service providers\r\nAnother way to hide your page behind someone else’s URL is to use an               ESP; that is, a service for creating\r\nlegitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous\r\nposts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a\r\nresult get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try\r\nto fight such misuse of their service, but it doesn’t always work out.\r\nRedirect via Baidu\r\nThe Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it\r\ndoesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is,\r\nin order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite\r\nsimple if you enter the exact address), copy the link and paste it in the phishing email.\r\nAnd by and large, we don’t know just how many other services there are that can redirect URLs or even cache\r\npages on their side (be it for their own needs or in the name of convenience of content delivery).\r\nPractical takeaways\r\nNo matter how confident your employees are, we doubt that they really can understand whether a link is\r\ndangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend\r\nto use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.\r\nSource: https://www.kaspersky.com/blog/malicious-redirect-methods/50045/\r\nhttps://www.kaspersky.com/blog/malicious-redirect-methods/50045/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/blog/malicious-redirect-methods/50045/"
	],
	"report_names": [
		"50045"
	],
	"threat_actors": [],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b4907fd12590adc30c641c31d0ff439f3b0ff41.pdf",
		"text": "https://archive.orkl.eu/9b4907fd12590adc30c641c31d0ff439f3b0ff41.txt",
		"img": "https://archive.orkl.eu/9b4907fd12590adc30c641c31d0ff439f3b0ff41.jpg"
	}
}