Zyra International NET //// Zyra's front page UK //// How to Read a URL //// Cahoot //// Bank Scams and Hoaxes //// Site Index

How to Read a URL

Subsequent to the page entitled "How to Read a URL" (how to read a web address), here's a more advanced example to illustrate the point. The following message is a fairly commonplace Bank Hoax message, and it is nothing particularly unusual in pretending to be from Cahoot, having some silly security warning, and then trying to lure you into clicking on a bogus link, which of course Does Not go to the bank! What's interesting about this message is the level of obfuscation of the link, which I'll explain after the message...

----- Original Message -----
[your address here]
Sent: Saturday, February 07, 2009 9:39 AM
Subject: important instructions

Dear cahoot customer,

You have received this alerting message, as you are listed to be an cahoot online banking user.

We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for cahoot online banking users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every cahoot online banking customer has to complete a cahoot customer form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don't fill in cahoot customer form before your unique link expires, the system will automatically send you a new notification message.


Thank you for your cooperation. We apologize for any inconvenience brought.

cahoot is a division of Abbey National plc.

Incidentally, you can see where these links go without even clicking on them. If you hover your mouse over the link, the link destination appears at the bottom of the screen. The address shown is the URL. I'll explain how you can read a web address, but first a bit about the scam message...

It's not a particularly good phishing message, and no more convincing that other bank emails, but what makes this interesting is the address. Of course I have carefully stuffed and mounted the email, so the item you see on this page is NOT the dangerous thing you might receive in spam. In particular, I have made safe the link. Now as an experiment, hover your mouse over that link in the message. What do you see? Notice the address (usually flashing at the bottom of the page) which says where the link really goes (you may need to do right-click and "properties"). See, the web address which was in blue on the screen and looked like it went to http://ibank.cahoot.com/servlet-session-3416786/com.aquarius.security.authentication.servlet.LoginEntryServlet?id=28180598187262522449057736241337128226795768303400061632290596839638 now goes to www.zyra.org.uk/bankhoax.htm because I have made it safe. However, in the original message, it went to http://ibank.cahoot.com.servlet-session-3416786.id-01.eu/com.aquarius.security.authentication.servlet.LoginEntryServlet?id=28180598187262522449057736241337128226795768303400061632290596839638 which of course is different. The first thing to realise is that links don't always go to where they say. The second thing is: HOW TO READ A LINK. Now let's try this with the above link. Firstly, ignore the fact it's got "ibank.cahoot.com" in it, because that's not how computers read things. To see where it really goes, start with http:// and then follow along the address link... after cahoot.com it's got a dot, so keep following because that's not the end of the link... oot.com.servlet-3416786 ... keep going ... vlet-3416786.id-01.eu/ STOP! That "/" character marks the end of the DOMAIN part of the link. (Yes I know some people call it a forward-slash, but really it's just a slash, or a stroke). Now having found the end of the domain, you can now follow back and determine what the domain really is. It is in fact id-01.eu , so if it was a website it would be www.id-01.eu and if it was an e-mail it would be something@id-01.eu , but let's not go there. If you want to try to complain to their ISP or Hosting Company that's up to you. The point is, it's NOT CAHOOT, and you can see that because you can now read a URL!

Show other people this page! If more people could read web addresses, these ridiculous bank hoaxes and scams would work even less well than they do at present, and bank fraud would be considerably reduced. It must be a menace for the banks who have to cope with this kind of thing.

The more people that know about this, the better we'll all be at defeating these viruses and scams! You can recommend this page on DIGG if you like! Or other places. You are welcome to link to this page from other sites. Also see the page How to read a web address