Sniffing out Phishing

June 11, 2013

One simple method recommended to users to help detect phishing is to use the hover trick, where a user hovers their cursor over a link to check their browser displays the domain they are expecting - if the link appears to be correct, click away.

Consider the following html which simply links to Wikipedia and Yahoo.

    <li><a href=""></a></li>
    <li><a href=""></a></li>

These links look innocent from the hover perspective - however if we add some javascript, we can trivially bypass this (simple) user control:

        $('a').bind("click", function(){ $(this).attr('href', ''); });

When a user applies the hover method they will see the following (seemingly correct) link in their browser:


However, on a click event links are be redirected to Google.