Thursday, December 18, 2008

What you see is not where you go!

I know the title does not make any sense -- maybe it will after you read the post.

One of the common means of phishing is to take you to a malicious website when you think you are at the genuine website. The task is not so easy for the attacker to make you believe. A fundamental hole (genuinely useful in many cases) is that a HTML link can be named anything you want, while the URL can be anything.

eg., Google -- This link shows up as Google and takes you to when you click on it. A non-techy user who uses internet for banking etc., might believe that a 'ABC Bank Login' link will really take him there --- but there is absolutely no need. Unfortunately this simple tweak is seeming to be enough to succeed against a non-techy user. All that the attacker needs to do is to make sure that the malicious page looks the same as the original page.

Among the smarter people, the most popular way to check the link is to not go by the text, but by the URL the link is pointing to. All browsers have ways to find this out. The simple thing is to hover the mouse over the link and look at the status bar of the browser. Scripts can manipulate what is being shown in the status bar and so the other option is to see the properties of the link (right-click).

Unfortunately this does not help all the time. This is what even some techy users do not know. A hacker can show the URL of the genuine site until the user clicks on it, and then redirect him to the malicious site the moment he clicks the link (This reminds me of the click-hijacking vulnerability in the flash player -- Interested people can read further here).

Now look at the following example: This links reads Google and continues to show the URL of but when you click on it, it would take you to If you notice carefully the URL is changed on the fly when the mouse is clicked on the link. Not many users will notice that the URL is changing (if you think you always would notice, wait for a while and read further).

Google -- see the properties of the link and click on this link. see where you go!

[Update: This trick does not work on Google reader (possibly other readers too). So please visit my blog page if the link doesn't work for you. Thanks Senthil for pointing this out]

This is the dangerous part. It is quite difficult for us to notice these subtle things on hundreds of links that we click everyday. But being aware of these traps is very important. At least we would know how to be vigilant while accessing confidential and financial sites.

The other most effective way is to make sure your URL is correct on the address bar of the browser after you reach the site (yes, DNS spoofing will fool you here). Thankfully if the website is a https website (in most cases it is, where you need them), it is the best to make sure that the SSL certificate belongs to the website that you are pointing too.

Ok, now for those who thought they would always notice the link : Have you noticed that when you click on a link from the search results page in google, you are actually clicking on a link that takes you to and not directly to the website you want to reach? It is actually Google that redirects you to the actual website -- but we usually fail to notice this. Now that I told you it would be obvious this is how google's page ranking works! I'm surprised that google does this; I would rather feel safe to see the actual google's URL on the link given that the website's URL is anyway shown at the bottom of every site listed in the search results page.

So be vigilant, have a safe browsing -- because what you see is not where you go :)


  1. Google Reader strips off the onmouseover attribute of the a tag in the second "hijack" example.

    They probably do it to avoid executing code that could potentially hack into the reader itself.
    You might want to tell your blog readers using Google Reader that "what they see is not what they get" :)

  2. Thanks Senthil for finding this out. I use google reader, but I don't have my page added :) I've updated the post with a message about this.

    True, possibly they want to keep the google reader page from cross-site scripting.