Google Tries Anti-Scam Tactic with Web Addresses

John Lister's picture

Google is testing a new way of showing a web page address in the browser. It hopes that simply showing the domain name will make it easier for users to spot phishing scams - as already happens with some rival browsers.

At the moment most browsers will show the entire web page address (URL) in the address bar. That's the box near the top of the screen that has a dual purpose in most browsers: it shows the current page address but is also where users type in both addresses and search terms.

A study for Google looked at ways scammers can take advantage of the browser bar. One example was the website address "https://bank.com.acct.balanc.es.". At a quick glance, users could easily assume the page belonged to the organization which controls "bank.com" when in fact it belongs to whoever controls "balance.es".

In this hypothetical attack, the scammers would have registered the domain name "balance" on a Spanish registry to create what might look like the word "balances" at the end of a page address. The reference to "bank.com.acct" is purely a directory within the "balance.es" website and doesn't give any insight into the organization behind it.

Most Scam Sites Not Spotted

Google's study found that while people could correctly identify a site as being genuine from the website of address 93 percent of the time, they were only able to spot a misleading site in 40 percent of cases. (Source: googleapis.com)

Now a random set of users of Google Chrome Canary (a version of Chrome used for testing features before they go into the main browser edition) will not see the full website address by default. Instead, they will just see the actual main domain name (without any page details) and in some cases the registrable domain will be highlighted. In our example, that could mean the user's attention is drawn directly to "balance.es", with "bank.com" potentially hidden or downplayed.

New Policy Optional For Users

Users will still be able to see the full URL which includes directories within the domain, and the specific page details.

To do this they can either hover over the address bar to reveal it, or right click on the address bar to bring up a menu that includes an option to revert to showing the full URL by default. (Source: chromium.org)

One problem with the testing is that the type of people who use Chrome Canary may be more likely to pay close attentions to website addresses and domain mismatches in the first place. It could also be difficult to prevent scams with visually similar domains such as rnicrosoft.com (with the 'RN' forming an 'M' at the beginning of the word) instead of 'microsoft.com'.

What's Your Opinion?

Would you prefer to simply see the domain name rather than the full URL? Will highlighting the main part be helpful? Do you think you could reliably spot a fake webpage from its URL?

Rate this article: 
Average: 5 (7 votes)

Comments

doulosg's picture

This is basically the technique I use with email scams. I mouseover the sender-supplied name (like Infopackets Newsletter) and let the inbox show me the address. If it appears legit (like newsletter[ a t ]mailer.infopackets.com), I'll open the message. If it appears bogus or spoofed (like Andy.Whitfield.gp[ a t ]24-source-m-d.us), it gets deleted immediately.

But 1) I have to go looking for that, and 2) it could be easy to miss if the spoof is good or happens to be a close match. In an address field, highlighting the significant components would definitely be a reminder of how a URL is constructed.

So, would the spammers respond by lengthening their directory names so the real domains - highlighted or not - are hidden?

David's picture

I would like to universally disable any and all searches from the address bar. If I type something into the address bar and it doesn't go to an actual site I do NOT want any sort of search performed for what the browser thinks I wanted. Yes, I'm 'old school', the more a 'feature' tries to be helpful the more I dislike it. If I want to search I'll use a search box. If I want to type an address I'll use the address bar. The two are NOT the same.

The most help I want is to have the browser resolve any 'tiny URL' type addresses and show me the actual destination and ask me if I really want to go to a site in Nigeria, India, or Afghanistan when I click a link supplied by my 'bank'.

jhgsub_13922's picture

I would favor highlighting and add a half-space between letters to avoid the "rn" = "m" problem.