Cybersecurity awareness month has now been and gone, but hopefully, the lessons learned during October will remain with users for some time. One of those cybersecurity awareness lessons is never to trust links you see in your email, as they could easily be malicious and part of a phishing campaign. The general consensus of security opinion is that, at the very least, you should always hover your mouse pointer over a link so as to reveal the actual URL destination rather than just the link text that could say anything at all. But what if hovering over a malicious URL showed you the same fake link details as the link text? Cyber criminals are using a relatively simple technique to obfuscate the true destination of a malicious link for Gmail users who look to the web client rather than an app for their email. Here’s what we know about this attack tactic.
Is It Safe To Hover On Links, Gmail User Asks—The Answer Is Complicated
My attention was drawn to the Gmail subreddit when a poster on Nov. 06 posed the question: “Is it safe to hover on attachments (without actually clicking/downloading it)? The question asker was concerned as they had hovered on an attachment and then deleted it without clicking or downloading but worried the act of hovering may have triggered a malicious execution of some kind. The answers were valid and expected, essentially agreeing it’s safe to hover as long as you don’t click.
My interest was piqued, however, as the “hover don’t click” message is often preached as part of the gospel of good security when it comes to dealing with links in email. By hovering over a link you can quickly see where it’s actually taking you rather than where the link text says it is taking you. This ploy is a perennial favorite among the phishing fraternity and has been for decades now.
The problem with that advice, while still highly recommended, is that it’s not bulletproof. OK, the shocking cybersecurity truth is that no defensive measures are 100% guaranteed to work, there are always exceptions and it’s these that cyber criminals look to exploit to their benefit. And so it is with link hovering.
The Gmail Exception To The Link Hovering Security Rule
Some years ago now, in 2020, the cybersecurity awareness boffins that work at KnowBe4 issued an alert that all was not well in the link hovering malicious link protection world. What if, they posited, everything’s a con?
After spoofing the link text to read as if it’s the genuine login page or site the user is expecting, the cyber criminals in this scenario then spoof the link hovering text as well. This isn’t difficult to do as all it takes is some simple HTML, no Javascript coding required, to edit the mouseover text label. The reason this works is that the mouseover label is displayed right next to the link being hovered, but when using a web client to access Gmail the real URL is displayed, in Chrome for example, at the bottom of the screen. The point being that thew attacker is banking on the reader not looking elsewhere other than the URL that pops up alongside the link.
Desktop clients and mobile apps don’t appear to suffer from this lapse in security, so I’d heartily suggest you use them instead of your web browser to read your Gmail if you are concerned about this attack methodology. One member of the cybersecurity community on X told me that they had recently came across the exact same tactic in a phishing email and it is a growing threat vector. Be careful out there Gmail users, and users of any web-based email platform that displays real URLs on hover elsewhere than next to the link itself.