0

How do hackers/scammers know that I clicked a link? Why is my personal info in the url redirect link? Is this info then being stored in a database and the hacker/scammer knows that because this specific link was clicked it must have been me?

I received a dodgy email with a link and was curious. So I activated my VPN and checked the link first on VirusTotal and dr web. I found out that the link redirected several times to different websites.

I have changed the link numbers and letters but the domain is how I received it as you see below.

The original link sent to me looked like:

http://gallery.divinerosestore.com/SOME_LETTERS_AND_NUMBERS

What freaked me out was that the second redirect url contained my email address in the url link. It was in a weird format separated by commas (,) the link below is not real but is in a format as such:

hdating.us/?s=77auyfdgaukgfdsukg&ed=icl&i=admin77,83907,MY_EMAIL_ADDRESS@service.com,&ts=489234987459

How I imagine this works is that this information of my email address is being passed on to user "admin77" stored in his database/textfile whatever and he knows that I have clicked his link and he now knows I am susceptible to clicking links and a future target?

I would like to inform myself more about cybersecurity and find out more about the details.

peterh
  • 2,938
  • 6
  • 25
  • 31
BetweenBeltSizes95
  • 13
  • 1
  • There are lots of ways for someone to accomplish this. – schroeder Aug 17 '19 at 13:28
  • Follow up question if anyone is still reading this, how would i go about spamming this spammers server if he was is looking at which HTTP Get requests his server is recieving? Could i write a python programm executed from a different ip address through a VPN which spams his server with fake information, fake URLS and weird email addresses in order to break his list? I know its not worth it but as a theoretical question/concept. I saw this guy on youtube called "engineer man" who spammed a spammer by writing a python script to send fake email and password logins to a phishing site he was sent. – BetweenBeltSizes95 Aug 20 '19 at 12:31
  • Please do not post new questions in comments. You have proposed something that won't work according to the answers below. The example you provided only works if there is a login page to poison. Short answer is that you can script anything to hit the server. – schroeder Aug 20 '19 at 12:34

2 Answers2

1

By clicking on links inside an email you're actually doing a HTTP GET request. Probably before sending this phishing mail to you they (who create phoshing sites) automatically added some identifier to that link to be able to check later who got an email and who clicked on that link, when and from which IP and from which browser, etc. So they can identify you.

This phishing link even might not contain your email (!). It has to be a unique identifier where they can associate you with your email. So they have a database with at least two columns: <email> and <uniqueToken>. So the phishing link might contain that token. Or it might be "obfuscated" with base64 or something else.

E.g. googlemail blocks images unless you actively enable them. My university does it too. If you are using email service that doesn't do that, then your browser will happily load images embeded in your email (one can send HTML code inside a mail). But image might be of type host/image.png?mail=your@mail.com or host/someToken.png or just host/2384622378429349 - it can be just a 1x1 pixel image. So they might receive already some information that you opened their phishing mail at xxxx o'clock even if you didn't click any links (!). Now if you click some links (or your browser loads images from that mail), you share your IP, then links might contain your email and they can also fingerprint your browser, read headers and do some other nasty things with your browser.

Since you're visiting some untrusted websites they can use your browser as JS-proxy (short living one) and do nasty things with that ;), execute exploits (CVE or not ;)), try to force you to install some junk extensions or crash your browser (that is imho useless, but might exist just for trolling) or mine some cryptocoins. So tracking and leaking your IP and email address and the fact the you clicked that link is a least of your problems. They will know now that you're willing to click random phishing links and maybe will send you more. Who knows.

Don't click strange links, use VPN, use e.g. NoScript or uMatrix (this is annoying, but it will block JS, prevent basic XSS and other attacks) and anti-WebGl-fingerprinting extension, etc., use up-to-date browser and software. Install updates (update systems might still be compromised), read about that stuff in cyber security blogs. My favorite are: https://www.schneier.com/ and https://elie.net/blog/ where the last one publishes often papers about exactly that topic - phishing, malware and co.

Here some (non-phishing ;)) links might be intersting for you:

Awaaaaarghhh
  • 562
  • 2
  • 18
0

Remember that crime is now commoditised and supported by a large framework of services. Any single email you receive might be part of a dozen different criminal services.

So, what is happening exactly here is not going to be known without access to the services used. We can only speculate.

The first hop is the easiest to guess. SOME_LETTERS_AND_NUMBERS is likely some sort of a UUID that is an index to the email campaign, the service, your email, the date, and any other metadata useful to the phishing service. The relevant metadata is passed on to another service. By using the link, you register with the service that you interacted with it, even if you did not click it from your email client or computer.

That what the admin77 could reference. This could be the username of the customer of the phishing service or the link processing service. Or anything else, really.

Why embed all this stuff in a URL? Ease and convenience. No need to use POST data or API calls, when you can just use URL parameters.

schroeder
  • 123,438
  • 55
  • 284
  • 319