Phishers and fraudsters like to send their victims to a malicious site under their control. A popular practice is to disguise/hide the URL under simple text. Generally speaking, however, this can be detected by hovering the cursor over the disguised link without clicking it. The actual URL is then displayed in the browser status bar at the bottom of the screen.
But Manchester UK-based Bilawal Hameed, who describes himself as a 19-year old ‘developer and serial entrepreneur’ has blogged on a Javascript method to defeat the status bar check. In just 100 characters of code (which can be condensed to 67) Hameed demonstrates an on-click event that diverts the user to a different URL after the false link is displayed in the status bar.
In the example he gives, the text link reads: “This link should take you to PayPal.” If the reader hovers the cursor over the text, browsers other than Opera display ‘www.paypal.co.uk’ at the bottom of the screen. But clicking the link goes to a completely different URL – in this case a separate page on his blog announcing, “Boo! This could have been a phishing link.”
The potential for fraudulent use is clear. If the landing page had been a disguised Paypal log-in page it could be used to harvest paypal credentials. Hameed believes that the current extensive use of genuine redirects by vendors will further obfuscate the malicious intent. “Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to paypal-business.co.uk for months. My assumption is website visitors have grown accustom to redirections, and if this flaw acts as such, it can pose a real threat.”
The danger, he believes, lies in the ease with which this method can be used. “Any half-decent hacker can make a computer virus or embeddable JavaScript code that can inject this code alongside another piece of software.” As a result, he fears that phishing tools such as “McAfeeSecure and PhishTank won't be able to keep up with phishing websites up to the second.”
Hameed has reported the problem to the leading browsers, but has not yet heard back. His suggestion is that browsers should “warn users if the location of a link changes to a different domain after they click on it.”