Checking if anyone else has heard of this protocol. It seems to be a method of bypassing security filtering software. The reason I ask is that we received a security alert with a link hxxp://pastebin.com/###. Seems very suspicious and want to know if anyone can shed light. Is this a new phishing/malware methodology? matthew black california state university, long beach
On Sep 13, 2012, at 12:34, Matthew Black wrote:
Checking if anyone else has heard of this protocol. It seems to be a method of bypassing security filtering software.
The reason I ask is that we received a security alert with a link hxxp://pastebin.com/###.
Seems very suspicious and want to know if anyone can shed light. Is this a new phishing/malware methodology?
Using "hxxp" is a common method to prevent auto-linking by various email/IM clients and/or forum software to then require the user to actively copy/paste the URL to get the content. In the case of a security alert, I could see it being used if the destination is in fact an example of an attack site to prevent someone from inadvertently clicking the link and getting infected. --- Sean Harlow sean@seanharlow.info
On 13 September 2012 09:38, Sean Harlow <sean@seanharlow.info> wrote:
Using "hxxp" is a common method to prevent auto-linking by various email/IM clients and/or forum software to then require the user to actively copy/paste the URL to get the content.
In the case of a security alert, I could see it being used if the destination is in fact an example of an attack site to prevent someone from inadvertently clicking the link and getting infected.
All true and commonly used but it's worth mentioning that putting a space before the *dot TLD* is a better way to prevent auto linking in email/IM clients since most of them detect the formation URLs by other means rather than rely on the exitence of http://. -- Landon Stewart <LStewart@Superb.Net> Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
On Sep 13, 2012, at 17:21, Landon Stewart wrote:
All true and commonly used but it's worth mentioning that putting a space before the dot TLD is a better way to prevent auto linking in email/IM clients since most of them detect the formation URLs by other means rather than rely on the exitence of http://.
Certainly true, the machine I'm currently responding on runs Apple Mail 5.2 and does turn it in to a link, but since hxxp is an invalid protocol it doesn't do anything useful with it. Clicking the link just gives a "no associated application" error, so the practical result is the same. --- Sean Harlow sean@seanharlow.info
Fur further reference, wiki gives the following reasons for hxxp or other similar methods of URL obfuscation: Some of the uses of this method include: * to avoid passing the HTTP referrer header which would reveal the referring web site to the target. * avoiding automated web crawlers from following the links. While effective, legitimate web crawlers can be avoided through the use of a robots exclusion standard on the target web site. To avoid advancing the search engine rank of the target web site, nofollow attributes can be used instead. * to bypass overzealous link spam protection in, for example, blog comments. * for making sure that a user doesn't accidentally click on a potentially harmful link, in applications that automatically recognize links in plain text. Examples of this include "not safe for work" links. * to avoid an application from downloading unwanted files, like advertisements or a malware. The method is directly change all 'http' to 'hxxp' in specific uncompressed .exe or .swf files with a hex editor. --- Sean Harlow sean@seanharlow.info
The reason I ask is that we received a security alert with a link hxxp://pastebin.com/###.
hxxp has been around for a long time. It's a lame hack that was never widely accepted by browsers. The purpose was to have a clickable link that didn't send a referer. (i.e. copy-n-paste) There was a firefox plugin for one-click handling.
participants (4)
-
Landon Stewart
-
Matthew Black
-
Ricky Beam
-
Sean Harlow