Tuesday, July 23, 2013

Disguised links

Previously I wrote about two new pen-test / social engineering tools (Pwnxy and Phishable). These tools simplify the "art" of deceiving an end user by presenting a legitimate-looking page (the page is in fact legitimate, but passed through a proxy that can change the content and intercept anything submitted - such as login credentials).

One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).

There are some sneakier ways one might disguise the actual link though. I will describe and demonstrate a few below. For the below examples, assume that I want the viewer to think the link goes to Google, when in fact I am sending the user to Yahoo.

The first tactic is simple: I can create a "tool tip" for the link, that will display near the cursor when hovering over the link:

<a href="http://www.yahoo.com" title="www.google.com">Google</a>

which renders as

The link text reads "Google," and the pop-up text beside the link says the same. Notice that it does not affect the status message at the bottom of the screen though - it still shows the actual URL. However, Javascript exposes most elements of a page, including the status object. Using the mouseover event on older browsers, I can change the status text to something of my own choosing, instead of the typical display of the actual URL:

<a href="http://www.yahoo.com" onmouseover="javascript:window.status='http://www.google.com'; return=true;">Google</a>

Which renders as:

On older browsers, even though the actual URL is www.yahoo.com, the status bar would display www.google.com as directed by the Javascript code. Most recent browsers though disable this function by default. A user would have to explicitly re-enable the feature to allow Javascript to modify status text.

A different tactic still works with modern browsers. Since the status bar displays the actual URL, this tactic leaves the actual URL untouched, until the user clicks, and only then replaces the URL with something different:

<a href="http://www.google.com" onclick="javascript:this.href='http://www.yahoo.com'">Google</a>

Which renders as:

Note that if you hover over the link, it shows www.google.com (because at that point, the target is in fact www.google.com), but if you click, the target is changed before the browser follows the link, and you end up at www.yahoo.com.

Each of these scenarios shows a way the link could be disguised. Thus, a link on a web page, or a link in an email, or on Facebook or Twitter or Instagram, etc., can appear to go somewhere benign when in fact it goes to a malicious site. However, in each of these cases once the link is followed, the actual new location shows up in the address bar at the top of the browser window. If you click on a link that says "Google" but Yahoo loads, you would likely notice the difference.

What if instead of GOOGLE the link were to G00GLE (zeroes instead of "oh"s)? Or the malicious site used an internationalized character set which had characters that looked nearly identical to the English alphabet? Such cases might be very difficult if not impossible to notice visually.

Now to be fair, not every funny cat video, nor every letter from your bank, is malicious - in fact most are probably not - but there are a myriad ways those with ulterior motives can disguise their actions. The best protection is a little common sense and a healthy awareness of the world around you (an alternate Domain Name Service that blocks known-malicious web sites also helps). Think before clicking, and think even harder before submitting anything valuable (such as the login credentials to your bank, or sensitive business plans). If it's critical, type in the web site address yourself, or use a known bookmark.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen