June 11, 2013

Sniffing out Phishing

One simple method recommended to users to help detect phishing is to use the hover trick, where a user hovers their cursor over a link to check their browser displays the domain they are expecting - if the link appears to be correct, click away.

Consider the following html which simply links to Wikipedia and Yahoo.

<ul>
    <li><a href="http://www.wikipedia.org/">www.wikipedia.org</a></li>
    <li><a href="http://www.yahoo.com/">www.yahoo.com</a></li>
</ul>

These links look innocent from the hover perspective - however if we add some javascript, we can trivially bypass this (simple) user control:

$(document).ready(function(){
        $('a').bind("click", function(){ $(this).attr('href', 'http://google.com/'); });
});

When a user applies the hover method they will see the following (seemingly correct) link in their browser:

/assets/images/wiki.jpg

However, on a click event links are be redirected to Google.