Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Clever HTML for URL Hiding

Created: 07 Mar 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:51:39 GMT
Eric Chien's picture
0 0 Votes
Login to vote

Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.

Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar without the use of Javascript. The message replaces the text in the status bar with the expected legitimate URL.

Take the following example, where you are a member of a legitimate bank known as “SymBank” (this is a made up name for the purposes of this blog). You receive a message asking you to login in order to verify some account transaction details. Hovering over the link, the URL appears valid, as shown in the below image:

However, looking at the HTML source of this email, we see that if we click on this link, we will actually be redirected to a completely different site that will attempt to steal our credentials.

Fortunately, the URL in the status bar is only one indicator of a fraudulent message. If you clicked on the URL, the resultant site would have the fake URL in the URL input area, as well would likely not be using SSL. But, this same technique could also be used to trick someone into visiting a malicious Web site that might host exploits—and by the time that person realizes they are at a malicious Web site, their machine would have already been infected.

As usual, be cautious when following links in unsolicited email and ensure you are using in-depth protection, including anti-phishing products and spam-prevention products. Fortunately, the phishing email that was received was properly blocked by Symantec's Brightmail AntiSpam solution.