[HKFella]

Can any e-commerce tech-guru out there tell me about this: is it possible for a fake (phishing) website to display in the address line in common use browsers some other site's URL in the initial position after http:// (or https://)?

E.g. say if the standard log-in page of an e-commerce site named AAABBBCCCDDD Co. Limited (purely hypothetical name here) were http://www.aaabbbcccddd.com and it is displayed as such in the Address line of the browser. Now some impersonator site trying to mine IDs and passwords presents itself with a page that looks almost exactly like that one. Is it possible for such site also to display in the Address line a URL of http://www.aaabbbcccddd.com (or extensions such as http://www.aaabbbcccddd.com/eng/entry/11diary.htm), or is it a technical impossibility? Does it make any difference to above if it's a "secure" SSL site (https://) instead?

I'm talking about a real address line, not an image, so the user can access it, highlight it, click on it, use it to reload a webpage the normal way, etc.

Many thanks

P.S. info being sought is in the noble effort towards thwarting impersonation (not the opposite, in case you were wondering!)

[JAherbert]

in short, yes

[KnowItAll]

The common technique is to replace the i with an l or o with an a and certain other similar letters.

It is trivial to get an SSL certificate for that domain.

[HKFella]

Quote:

Originally Posted by KnowItAll

The common technique is to replace the i with an l or o with an a and certain other similar letters.

It is trivial to get an SSL certificate for that domain.

Does that mean close matches to others' URLs may be possible but not an exact match in the manner I mentioned? So a vigilant viewer (helped by a clean URL name) cannot easily be fooled, is it?

Interestingly the URL for logging in to one's Amex HK card account read as "https://www99.americanexpress.com/myca/ etc etc.........." - should that 99 raise a red flag for an alert user? SSL cert is also issued to www99.americanexpress.com, though drilling down further it does reveal American Express Bank LTD, Phoenix, Arizona, Now, is this 99 considered in e-commerce circles as good practice? By contrast Citi's log in page is https://citibank.com.hk/portal.......etc etc - certainly no ambiguity here for the user. Is this considered a better practice?

Thanks, anyone who can help.