Phishers Hide Real Links with Javascript

Wednesday, March 27, 2013 @ 03:03 PM gHale

One of the usual pieces of advice to users is when they have a question about a possible malicious link, just hover the cursor over the link and check the browser status bar. When you do that, the actual destination should display. That is until now thanks to Javascript.

When phishers and fraudsters send their victims to a malicious site under their control, a popular practice is to disguise or hide the URL under simple text. The problem is it is possible to detect it by hovering the cursor over the disguised link without clicking it. The actual URL then ends up displayed in the browser status bar at the bottom of the screen.

APT Attacks Shut Down
Cyber Attack Against S. Korea
China a Cyber Attack Victim
New Plan to Secure Trade Secrets

But Manchester UK-based Bilawal Hameed, a 19-year old “developer and serial entrepreneur” wrote about a Javascript method to defeat the status bar check. In just 100 characters of code (which can cut down to 67) Hameed can divert the user to a different URL after the false link displays in the status bar.

In one example, the text link reads: “This link should take you to PayPal.” If the reader hovers the cursor over the text, browsers other than Opera display ‘’ at the bottom of the screen. But clicking the link goes to a completely different URL – in this case a separate page on his blog announcing, “Boo! This could have been a phishing link.”

There is great potential for fraudulent use. If the landing page had been a disguised Paypal log-in page it could end up harvesting paypal credentials. Hameed said the current extensive use of genuine redirects by vendors will further obfuscate the malicious intent.

“Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to for months. My assumption is website visitors have grown accustomed to redirections, and if this flaw acts as such, it can pose a real threat.”

The danger lies in the ease with which this method works, he said. “Any half-decent hacker can make a computer virus or embeddable JavaScript code that can inject this code alongside another piece of software.” As a result phishing tools such as “McAfeeSecure and PhishTank won’t be able to keep up with phishing websites up to the second.”

Hameed has reported the problem to the leading browsers, but has not yet heard back. His suggestion is that browsers should “warn users if the location of a link changes to a different domain after they click on it.”

Leave a Reply

You must be logged in to post a comment.