Michael Horowitz
Home => HoverOverLinks
[Formatted for Printing] From the personal web site of  Michael Horowitz

Hover a mouse over a link - just don't trust the results

February 16, 2020: Initial creation
February 20, 2020: Added Google example
March 28, 2020: Added a real world example
April 27, 2020: Added a new section on server side re-directs
May 14, 2020: Expanded the section on Server-Side Re-directs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Enough already. Far too many Art History majors working in the tech press keep recommending that you hover the mouse over a link to see where the link will actually lead. This is a scam. The link displayed in the bottom of the web browser window, when you hover over the link, can not be trusted. Here is proof.

This appears to be a link to a good website. When the mouse hovers over this link, it will appear that it goes to www.somegoodplace.com. Click it. I dare you :-)

The link really goes to guce.advertising.com. JavaScript is used to dynamically change the link just as it is clicked. Pretty cool, eh?

The JavaScript code that makes this possible is quite simple. To begin with, here is what a normal link looks like in HTML:

 < a href="https://www.somegoodplace.com">link to good site< /a>.

Below is that same link with the added JavaScript code that makes the malicious swapping possible. The magic is in the "onclick" event.

 < a onclick="this.href='https://guce.advertising.com';"
     href="https://www.somegoodplace.com">link to good site< /a>.

Of course, there is no mouse with a smartphone or tablet, but the issue is there too. To see where a link goes, simply long press on the link. Here is a screen shot of what this looks like in the Chrome browser on Android 10. Interestingly, if, from this menu, you chose to open the link, the browser goes to the good destination. Likewise, copying or sharing the link copies/shares the good destination, so these are great defensive tactics. Just don't click the link.

The situation is similar with Safari on iOS. As this screen shot shows, it too, displays the good link when long pressed, and if you opt from the menu to open the link, it will open the good link, not the bad one. Here too, however, clicking the link goes to the bad website.

There is nothing new here, Google has been lying about the destination of links for longer than I can remember. Take this search for "George Washington University" for example.

Google search destination scam
A normal Google search

The mouse pointer does not appear in the screen shot but it was hovering over George Washington University, and the bottom left corner of the window indicates that the link goes to www.gwu.edu. That's not true. This is the actual link:


which I got by simply right clicking on the link and copying the Link Location. I added some line breaks to make it easier to read. When you click on a link in Google search results, you first go back to Google, then to the destination that the link appears to point.

In addition to the technology, there is also a lesson here on trust. If you ever see this advice in the future, you know not to trust the person who offered it. Even moreso, what does it say when a large organization repeats this old fallacy? It shows that no one in the organization reviews what they publish. I'm looking at you Consumer Reports and WireCutter.

On a related note, shortened links are also dangerous, they are just more obvious about it. Defensive suggestions for dealing with shortened links can be found in the Extra Credit section of my DefensiveComputingChecklist.com website. Don't trust this link? I don't blame you :-)


April 27, 2020. Then too, there are server side re-directs that require no Javascript at all. For example, the very trustworthy Ask Woody website sends out newsletters with links like this:


Clicking on this link can send you anywhere Woody wants you to go. There are three parameters in the above link, "u", "id" and "e". My guess is that one is a code for the web page that you end up at, another identifies you in the AskWoody.com newsletter system and the third is an account at list-manage.com.

There is nothing malicious here, at least not in the case of Woody Leonhard, but the point is that what you see as the initial link tells you nothing about the web page where you eventually end up.

- - - - -

May 14, 2020. The WireCutter website offers many examples of server side re-directs. For example, some links at the site look like this:


Where the 9s represent a number. When clicked, you are obviously taken, first, to the WireCutter website, but just for a second before they re-direct you to the retailer, in this case, Amazon.com.

Some other links on the site look like this:


In my experience, after going to shop-links.co, this link goes to


and only then, finally, takes you to to retailer selling the product in question. In this case you are bounced twice before landing at the ultimate destination. I found two other instances of server-side re-directs where you were bounced twice before landing on the retail product page.

In one case, the links looked like this


which, after starting at androezrs.net, then goes to emjcd.com before finally going to the retailer (in this case woot.com).

They also have links that look like this


which make a stop at bizrate.com after skimresources.com and before finally landing at the retailer.

- - - - - - - - - - - - -

UPDATE: March 27, 2020. This article, New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer by Liviu Arsene of BitDefender describes how a malicious web page tricks Windows users into installing malware. Part of trickery is disguising the destination of a link. Quoting: "The download button has the 'href' tag (hyperlink) set to https://google.com/chrome so it seems clean when the victim hovers over the button. But actually an 'on-click' event is set that changes the URL to the malicious one..."

- - - - - - - - - - - - -

NOTE: The first version of this blog used a different approach. Instead of the "onclick" event, it used the "onmouseover". This approach fools the desktop version of Firefox, but does not fool Chrome or Edge. On iOS, the onmouseover approach fools both Safari and Firefox. However, on Android, it does not fool Chrome, Firefox or Brave. On Android, it only fools the DuckDuckGo browser. The "onclick" event seems to fool every browser.



 @defensivecomput TOP Home => HoverOverLinks   
 michael--at--michaelhorowitz.com   Last Updated: May 14, 2020 6PM UTC  
  License Plate
Copyright 2001-2021
Copyright 2001-2021  
Printed at:   February 27, 2021 6:30pm   ET
Viewed 13,278 times since February 16, 2020 (35/day over 377 days)