HTML <a> href Tag Raped Via JavaScript: Can Be Spoofed - Polidicks

[quote]A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters.[/quote] Basically, this means you have to be extra careful, as the link shown in your status bar or wherever when you hover a link is no longer necessarily correct. The only protection against it seems to be either running Opera or disabling JavaScript. [IMG]http://i.imgur.com/ju1te85.png[/IMG] See, it says it links to the UK PayPal site. If you click it however, it takes you here: [url]http://bilaw.al/projects/a/phishing.html[/url] [url]http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html[/url] I know the source isn't a news site, but only because I can't seem to find a site that's covered it.

I'm guessing NoScript can prevent against this?

Google has been doing this on their search results for years This is not news.

Google's search results appear to go straight to the website but they go through a Google redirect service. [editline]19th March 2013[/editline] using this method, that is

The article is also written by someone who has absolutely no idea what they're talking about

This isn't really something new, either.

[QUOTE=Dlaor-guy;39969070]I'm guessing NoScript can prevent against this?[/QUOTE] You have to get a fraudulent page in the first place and emails can't use JS. If you actually do manage to get to a page doing this, looking at the address bar after clicking a link should give it away.

[QUOTE=TehWhale;39969086]Google's search results appear to go straight to the website but they go through a Google redirect service. [editline]19th March 2013[/editline] using this method, that is[/QUOTE] What does that change just curious?

It allows Google to log who and what clicks links to better their search results.

[QUOTE=TehWhale;39969494]It allows Google to log who and what clicks links to better their search results.[/QUOTE] Clicks, but also how many people "back" out of them and how many do not.

URL tooltips should never be used as a security safety net. I see your point for average internet users but as far as facepunch, I think most of us know better.

Still in e-mails you have to be careful even though this method can't be used. This picture is taken right from my spam inbox, and for the average computer user it may seem like a legit URL. Just look at the URL at the bottom left when I scroll over the link: [img]http://i.imgur.com/AjVO7F6.png[/img]

[QUOTE=W00tbeer1;39969848]Still in e-mails you have to be careful even though this method can't be used. This picture is taken right from my spam inbox, and for the average computer user it may seem like a legit URL. Just look at the URL at the bottom left when I scroll over the link: [img]http://i.imgur.com/AjVO7F6.png[/img][/QUOTE]I literally get 50 of those a week and hotmail tells me they're all legit because they spoofed it to appear from blizzard's servers

Why not just use something like bit.ly? It's really annoying when people use that. (Unless the user uses something like [I]Long URL Please[/I])

[QUOTE=TehWhale;39969875]I literally get 50 of those a week and hotmail tells me they're all legit because they spoofed it to appear from blizzard's servers[/QUOTE] Then there's something wrong with hotmail or (more likely) with blizzard's email setup because that should be impossible given a proper dkim/spf setup

[QUOTE=TehWhale;39969875]I literally get 50 of those a week and [b]hotmail[/b] tells me they're all legit because they spoofed it to appear from blizzard's servers[/QUOTE] I found your problem.

[QUOTE=Zephyrs;39970299]I found your problem.[/QUOTE] This. I get a ton of those too, but Gmail always tosses them to the spam folder.