Tech question about phishing URLs

I received a phish email, and by hovering over the clickable button I see an address beginning with the root URL “<name>.i”. I open another window and type just this URL in the address bar. It takes me to the home page of a legitimate (and completely unrelated) business.

Is there any point in forwarding the phish email to this company? Does the use of their URL mean the phisher is someone in the company, or can anyone just include a company’s URL within their own address?

If it helps, the clickable phish address had a long string following the root URL along the lines of: /lang.php?key=z%2B…*then the long string of numbers and letters ending in *%3D.

Just to be clear, I did not open the email (I used preview) and I know not to actually click anything in a phish email.

That, or someone who has gained access to their domain and/or webspace.

The % stuff is “percent encoding” of additional parts of the URL. It’s legitimately used to encode spaces in file names so that they can be passed into URLs, but it can encode any character.

What you had was might have been a URL to a completely-different site, and the right-hand part of it was encoded to hide it.

If only some parts after the top-level domain name were encoded, there might be a piece of malware in the company’s site taking requests for these specific addresses and forwarding them to the phisher’s site. The part after a ? in a URL is parameters: basically extra instructions for some script or other.

Can you PM me the complete URL?

Phishing addresses often have legitimate-looking components in them, but with a bogus root URL making the rest of the string essentially meaningless - e.g., “www,” [deliberately busted string there] - wrap all that in a FedEx package tracking email and many users won’t notice the bogus part of the string.

But if you’ve legitimately stripped it down to the root URL and it comes up at a legit company… the only thing I can think of is that they’re one step ahead of you and are redirecting root inquiries to that plausible destination.

Do a WHOIS on the root domain. You may have to try several providers and dig to get past registration redirects etc.

Sunspace, I sent you the complete URL.

Amateur Barbarian: This is an Italian condominium management company. When I looked up the root domain on WHOIS a person’s name is listed as registrant and as organization.

The company, root URL and owner’s name all look legitimate as far as I can tell.

Thanks for the PM!

The whole URL string is

I just ran it through URL Encode and Decode, and there are only two characters that were actually encoded, %2B which is a plus sign, and %3D which is an equals sign. Less obvious than I had hoped.

This LOOKS like a script called “lang” is running on the Studio David server, which takes the value provided after “key=” and does something. However, the web server could be configured to check every request to the Studio David site, and redirect the phishing ones elsewhere to display a different page, and Studio David would know nothing about it. Lots of different ways to do it…

This would require access to Studio David’s hosting account, deliberate or unwitting. (ISTR reading of malware on web servers…)

And another thought… the script called lang could be running there legitimately, but it could be badly-constructed so that handing it that specific key would cause it to do something Bad…

Thank you, Sunspace.

So would it do any good to forward the phish mail to Studio David, in case the server is being used without his knowledge?

I hate phishers and scammers. Any time I can cause them trouble, I will - even if it’s only one out of a billion.

Might not be a bad idea.

The result of the URL decode is a base64 encoded string. Decoding that returns load on non-printable hex. Base64 is often used to encode a string that has been encrypted.

I’ll second Sunspace’s suggestion that it could be a legitimate script that’s being misused. I can very easily imagine a language selection script being abused by creating a bogus language page that redirects to a malware page.

And absolutely inform the site administrator if you think his/her site is being used for phishing. How else will he know his site’s been hacked?

Yes, I plan to today. I’m trying to come up with a subject line that will get serious attention. I’m also considering whether to use English or “broken” Italian via Google translator.

Write such things in clear, un-idiomatic English. Short declarative sentences with simple tenses.

Provide a Google translation below, clearly marked as such, “for their convenience.”

I’ve had very positive results with this approach, even when it turns out the correspondent has good written English skills.

Subject: Urgent - site manager / [translation here]

I used the subject line you suggested, and sent this email. Under each line I inserted the Google translation into Italian.

*I received this email.

Your server might have been hacked.

The clickable button contains this code: (I pasted the entire code)

I thought you should know.

Please excuse my Italian - I used Google translator for your convenience.

(Followed by the complete phish email I received, forwarded inline)*

Thank you all for your responses. I feel much better having done something.

From a machine that is going to be wiped I went to the URL. It tried to download a zip file called USPS_Label_US_ and the rest of the name had my town and zipcode

Opening it with 7-zip for viewing gave me a file called USPS_Label_US_Toms_River_08753.exe

Malwarebytes didn’t show anything

Since you’re wiping the machine, can you run the program?

I’m curious to know if they were going to ask for more info, or just register that they had a valid email address.

I’d rather not in fear of it attacking other systems on my network at home. I did run it through virustotal and only McAfee says there is something suspicions. Virustotal does show the app try to open port 123 to

Update. I just tried to go to the URL from my MacBook Pro and it gives me a 404,

I just tried and had no problem. Maybe they took the site down temporarily to clean it up?

I haven’t received a reply to my email, but I didn’t really expect to.