Phishers and fraudsters like to send their victims to a malicious site under their control. A popular practice is to disguise/hide the URL under simple text. Generally speaking, however, this can be detected by hovering the cursor over the disguised link without clicking it. The actual URL is then displayed in the browser status bar at the bottom of the screen.
In the example he gives, the text link reads: “This link should take you to PayPal.” If the reader hovers the cursor over the text, browsers other than Opera display ‘www.paypal.co.uk’ at the bottom of the screen. But clicking the link goes to a completely different URL – in this case a separate page on his blog announcing, “Boo! This could have been a phishing link.”
The potential for fraudulent use is clear. If the landing page had been a disguised Paypal log-in page it could be used to harvest paypal credentials. Hameed believes that the current extensive use of genuine redirects by vendors will further obfuscate the malicious intent. “Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to paypal-business.co.uk for months. My assumption is website visitors have grown accustom to redirections, and if this flaw acts as such, it can pose a real threat.”
Hameed has reported the problem to the leading browsers, but has not yet heard back. His suggestion is that browsers should “warn users if the location of a link changes to a different domain after they click on it.”