Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Link Manipulation Phishing

Tricks browsers into scraping the wrong URL for <a> links.

Abstract

Initially has the original URL as the HREF in a <a> tag and 50ms after the user mouseovers the <a> it swaps it out for another link. Meanwhile, the browser HREF information (bottom left onhover on desktop, longpress info panel on mobile). This can then be combined with [IDN phishing] to perform a sophitocated phishing attack. Live demo.

Simpler Version

Can be achieved far simpler with but doesn't catch other link opening methods (middle click, right click open in new tab, ctrl click...):

<a href="https://apple.com" onclick="event.preventDefault(); window.location = 'https://xn--80ak6aa92e.com'">https://apple.com</a>

About

Tricks browsers to scraping the wrong URL for <a> links

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages