Filip Herle

Wait… That Wasn’t Facebook?

In today's digital age, malicious hackers are constantly finding new ways to deceive unsuspecting internet users. Many methods that used to be effective no longer work, as people are generally more aware of internet safety and security. Knock on wood

However, an attack vector that I find particularly interesting (because it can be difficult to spot) is URL obfuscation; making a potentially harmful link appear safe and legitimate.

By exploiting human curiosity and with a little bit of HTML/CSS/JS, hackers can trick people into clicking on these links, leading to devastating consequences such as identity theft, malware infections, or financial loss. This is especially disastrous in businesses, where an employee clicking a link can put the whole business at risk.

How do they do it?

Hiding URLs can be done in numerous ways with HTML and other obfuscation methods.

For instance, hackers may use JavaScript event handlers like onclick to redirect the user to a different URL than what is displayed. They can also manipulate the href attribute of <a> tags dynamically, making the link point to a different address upon clicking.

To make matters worse, hackers can further obfuscate malicious URLs by using URL shorteners or redirect services. These services mask the actual URL behind a shortened or customized link, making it challenging for users to discern the true destination.

Let’s take a look at some examples:

Easy to spot:

This one is easy to spot and easy to protect against. When you hover your mouse over the link, your browser will automatically show the link it is actually pointing to in its status bar (usually on the bottom left of your screen) instead of the one that is displayed. Try it yourself and hover over the link above!

Easy to spot:

This one is a little more tricky to detect, but once you know what to look for it is easy to spot and easy to protect against. When you hover your mouse over the link, your browser will once again show the link it is actually pointing to in its status bar. However in this case, the first part of the link is completely legitimate, it is only after the @ symbol in the URL that the fake website is added and thus will redirect to it.

This can be a problem because unsuspecting users can quickly scan the URL and see that the first part of the link looks safe and proceed to click on it without checking the browser's status bar. This is made even worse when a browser cuts off the second part of the link so you can’t see what you will redirect to.

More difficult to spot:

This one is tricky. When you hover your mouse over the link, your browser will show nothing in the status bar. This is because it is not initiated as a URL, so the browser does not detect it as one. To the browser, it is simply a piece of text that when clicked will direct you to the specified website. (The "Try me!" above does not look like a link, but try clicking it!)

Malicious actors can take this a step further and make the text look like a clickable link, but like before, the browser does not see it as one, so it does not show anything in the status bar.

Since clicking a link that you don’t trust is never a good idea and regarded as bad practice, hackers can also do the same with buttons. Once again, the example above does not show anything in the browser’s status bar. Buttons are safe… right?

Difficult to spot:

This one is the most difficult one to spot because unlike the first example, hovering over this link will prompt a browser’s status bar to show “www.safe-link.com” but redirect a user to the malicious link when clicked.

This specific attack can be used in phishing attacks, and is difficult to defend against without proper protection. This is why it is incredibly important to maintain strong security protocols and routinely train employees to keep your business safe.

How do I protect myself?

So, how can you protect yourself from falling victim to these URL obfuscation techniques? Here are a few essential tips:

1. Hover over links: Before clicking on any link, hover your mouse cursor over it to view the actual URL in the browser's status bar. Verify that the displayed link matches the destination you expect. If it looks suspicious or unfamiliar, proceed with caution. (However, we now know that this does not always work!)


2. Inspect the HTML source: If you have technical knowledge, inspect the HTML source code of a webpage/email to identify any hidden or manipulated links, especially if it seems off. Look for JavaScript event handlers or modifications to the href attribute that may indicate URL hiding.


3. Be cautious of unsolicited emails and messages: Malicious links are often distributed through phishing emails, social media messages, or text messages. Avoid clicking on links from unknown or untrusted sources. Instead, manually type the URL into your browser or use a trusted search engine to find the desired website.


4. Keep your software up to date: Regularly update your operating system, web browser, and security software to ensure you have the latest protections against known vulnerabilities and exploits.


5. Use a reliable antivirus: Install and maintain trusted anti-malware software on your devices. These tools can help detect and block malicious links or warn you about suspicious websites.

Remember, staying vigilant and cautious while browsing the internet is crucial in protecting yourself from falling victim to URL hiding and other malicious techniques employed by hackers. By practicing safe browsing habits and being skeptical of unfamiliar links, you can reduce the risk of becoming a victim of cybercrime.

Stay safe online!

Filip

Credits:

• Jose Mortellaro
• Owen Boswarva
• Anish M (Medium)