Spread the troll love, share and comment on the goodness.
Well, I just devised what I call a masked drop-link system. Unlike anything anyone has ever seen before, basically the user clicks on a url to a website that they know and trust well. This site is used by millions of people every single day, once they click on the link, it brings them to the site and within seconds, they are forcefully redirected to a drop link in this case. Unlike other drop links that people have been making, this one is totally hidden and you do not see anything revealed in the address bar besides the actual website url, that's all, the redirect happens in the background without any interaction.
This could be used for malicious intent however such as phishing, where someone could redirect to a fake Google Login page and mask it to have actual Google's credentials in the address bar (this is done by using a known exploit in Google's Translate site) so the user gets prompted to re-enter their login details, they think they are smart so they look up at the address bar and sure enough they see Google's true url in there. What they do not realize is that using this Translate exploit, the fake login page that will collect and steal your login and password loads within a frame right on the translate page, so the url of the phishing page does not show up.
All in all, someone can cause a lot of harm with this, profit somehow or prank people with a drop-link which is the only friendly fire option really. Seeing as I don't need to make coin from using this and I do not seek to harm anyone, I would personally not bother using my method for any malicious purpose, but I am certain that does not apply to anyone else who most certainly will discover what I did with a few simple searches and trial and error testing.
Note: The method when used in posts on Google+ for example pulls the legit headers from the main website and not the forced redirect site, as proof of concept I will show you below this post, an example where if you click on the link that looks totally legitimate and it is going to the official American Express website, once the site loads in a few seconds as you read what's on the page if you click on their CONTINUE link or just do nothing, you will be force redirected to Google.com. This test is harmless and will not log you out (not a drop link) so go ahead and see how it works .
Please do not ask for instructions on how it could be used to phish data, that is clearly illegal.
Embedded Link
American Express® Card Center
Other Accounts. Savings Accounts and CDs · Gift Card Balance · Membership Rewards® Point Summary · Credit Secure · ID Protect. Mobile Account Management. Mobile Account Management. Check your balance,…
Google+: View post on Google+
Post imported by Google+Blog. Created By Daniel Treadwell.
Whoa!
Not like a credit card link is exactly trustworthy.
+J Brown it is to most people when it is actually the true url of the credit card site, in this case it is no other then amex .
I am curious to see how many smart individuals here realize how important this post of mine is, I am making a new circle here or intellectually enriched individuals that I will share my most intense goods with from now on.
Oh do not get me wrong, its cool and I will share it. I am just thinking of it as a drop link and not as a phishing link which could be shared and gather mass amounts of info.
This is reminiscent of the EyeWonder XSS explained at http://davidlynch.org/blog/2011/10/xss-is-fun/. I wonder how widespread this sort of problem is?
+Scott Frey Yes similar, as for how widespread it all depends, most people overlook these issues which is what the exploiters hope for so they can profit from it and remain in the background as long as possible. Currently I have not seen many people using similar methods but there is some phishing going on out there with some big numbers using related exploit methods.
Aaaah, good old interstitial. That thing still floats about!? Fo' shame!