Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.
Take the following example, where you are a member of a legitimate bank known as “SymBank” (this is a made up name for the purposes of this blog). You receive a message asking you to login in order to verify some account transaction details. Hovering over the link, the URL appears valid, as shown in the below image:
However, looking at the HTML source of this email, we see that if we click on this link, we will actually be redirected to a completely different site that will attempt to steal our credentials.
Fortunately, the URL in the status bar is only one indicator of a fraudulent message. If you clicked on the URL, the resultant site would have the fake URL in the URL input area, as well would likely not be using SSL. But, this same technique could also be used to trick someone into visiting a malicious Web site that might host exploits—and by the time that person realizes they are at a malicious Web site, their machine would have already been infected.
As usual, be cautious when following links in unsolicited email and ensure you are using in-depth protection, including anti-phishing products and spam-prevention products. Fortunately, the phishing email that was received was properly blocked by Symantec's Brightmail AntiSpam solution.