What's in a (Domain) Name?

I received an interesting SMS on my personal mobile, and I thought I would run through a short post about understanding internet URLs, and recognizing a fairly straightforward fraudulent URL.

This is the message I received:

Whether or not I have an account with Commonwealth Bank is not the issue here, but the way text messages get wrapped around by our phone screens can be quite misleading, and for someone receiving this text who does bank with them, it might be quite tempting to follow such a link.  However, if I were to type this URL into my computer notepad, the actual URL becomes a little clearer:
http://my.netbank.commbank.com.au-rl.com/asp/?phone=614xxxxxxxx.

What originally looked like a my.netbank.commbank.com.au URL, now becomes my.netbank.commbank.com.au-rl.com.
 
But what if I don’t recognize this as a malicious domain name?
 
There are a number of ways to check online whether a URL is genuine, and many antivirus software providers offer free services to check URLs.  Take for instance, Trend Micro:

https://global.sitesafety.trendmicro.com

The first thing I want to point out here it the difference in the internet protocol being used between the SMS we received and Trend Micro’s website; the link in the SMS uses http, whereas Trend Micro uses https.  HTTP, by definition, is an insecure method of communication where all data transferred is sent in plain text.  In contrast, HTTPS uses “Secure” HTTP, an encrypted method of HTTP communication, whereby all data is transferred between the local browser and the web server in cipher text, reducing the probability of data being easily read and understood.  Look here for further information about HTTP vs HTTPS.

Banks should all now be using HTTPS on their external websites, and if you find that yours is only using HTTP, my first recommendation to you is to change banks now!

If we paste that URL into the Trend Micro “Is it safe?” text box and click “CHECK NOW”, we receive the following:

How did I know it was dangerous, even before checking?  To allow it to be at least minimally understandable, the Internet Domain Naming System (DNS) is broken down into different hierarchies.  Suffixes, like .au, .com, or .net, are the highest level domain, and any text that comes after the highest level domain must be separated by a forward-slash (or colon).  In this case, the “/” comes between “.com” and “asp”.  This then, marks the boundary between the internet domain name and data held on the web server hosting the page.

Domain hierarchies are built from the end, backwards, and each period “.” denotes a lower level domain, or subdomain.  So, in this case, progressively building up we get the following domain/subdomains:
.com
au-rl.com
com.au-rl.com
commbank.com.au-rl.com
netbank.commbank.com.au-rl.com
my.netbank.commbank.com.au-rl.com
 
We can see by doing it this way that the domain the SMS is trying to direct us to is not actually commbank.com.au, but instead au-rl.com.  Humans tend to read from left to right (at least, in Latin and Germanic based language cultures), whereas computers traditionally read from the right (think binary: 0101 = 3, not 10), which puts the typical user at a disadvantage when trying to parse URLs…

Anyway, if you have any doubt whatsoever, don’t click the link, but instead browse directly to your bank website using a link you trust.  Also, it may not have been obvious from the image above, but the SMS I was sent showed up on my phone as having come from myself!  And no, I didn’t actually send it to myself, not even for the purposes of creating this post :)