Free Report How to Fake URLs

*** How to set up a button or link on your web page that tricks someone who uses Internet Explorer into thinking you defaced a web site.

What if you can't alter the hosts file of your friend's computer? As of today, an easy way to spoof URLs is to exploit a flaw in Internet Explorer versions up to 6.0. You can test for this flaw at https://happyhacker.org/defend/test.shtml. Note: some antivirus programs will claim that this test is a virus. That is not true. They merely are reacting to the fact that it is an attempt to spoof a URL, and are not well enough programmed to tell you it is a URL spoof instead of a virus. If your browser is vulnerable, a link on that page will take you to what looks like https://www.nsa.gov. If your browser is OK, it will show you that this page is actually https://www.happyhacker.org/defend/fakems.htm . The Opera browser will warn you about spoofed URLs (see https://www.opera.com/. TSome browsers will partially show a faked URL, usually as https://www.nsa.gov%01@happyhacker.org/defend/fakems.htm.

Now the trick is to somehow get your friend to click on a button you have created to get him or her to go to your "hacked" web site. How does this work? The code for the funny button on this web page is:

<button
onclick="location.href=unescape('https://www.nsa.gov%01@happyhacker.org'/defend/fakems.htm');"
style="font:8pt verdana, sans-serif;">
<B>Test Exploit</B></button>

If you have a web site, here is code you can upload that will make a web page that carries your boast about defacing a web site:

<HTML>
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<button
onclick="location.href=unescape('https://www.cia.gov%01@happyhacker.org');"
style="font: 12 pt Comic Sans MS">
<B>Click here for proof that I hacked the CIA web page!!!!</B>
</button>
</BODY>
</HTML>

Anyone who has a vulnerable browser will click on it and get the Happy Hacker web site, but the location bar in the browser will say https://www.cia.gov. Of course you could connect to a page on your own web site where you can plaster the childish, ungrammatical, misspelled boasts of the typical web site defacer. For examples of defaced web sites that you can use as, ahem, style guides, see https://www.zone-h.org/

Unless you can include the character between gov and % that probably shows up in your browser as a box, this is not a perfect hack. Without that funny character, if your friend looks at the bottom of the browser, he or she can see a briefly displayed message, "Opening page https://www.cia.gov%01@happyhacker.org�" However, if your friend is on a broadband connection, this message will flash by too fast to read. Aw, shucks.

Evil genius tip: How do you embed that funny character on your web page? Hint: find an editor that works with Unicode, and doesn't try to do a whole bunch of extra stuff (like MS Word does).

GaNt points out that there is another way to make a phoney link. Actually several other ways. "By using the href="#" the link is now activated to point to itself. The onClick will be able to activate because the link will not leave the page. It would be a really good idea to change the status bar as well, so I put that code into it, too."

This is the Link Text

Here is what the code is for the link above:

Another way to spoof a URL on a web page is to use Javascript. If you've never written a program before, don't sweat. It is super easy to write programs, especially when you have sample code. Try this for a web page:

</BODY><BR>
</HTML></P>

Here's how this will work on your web page:

This Javascript program was based on one written by GaNt. You can enjoy more of his work at his web site, "https://www.bleacheatingfreaks.com/"

First thing to notice is that when you run a mouse over the upper link, it only shows whatever text you have programmed into the "onMouseOver" command. If you really want to fake someone out, put the URL of the web site you claim to have hacked there. That part of the program is easy to customize. You could have the mouseover stuff read "Muhahaha" -- get the idea? Of course you can also easily modify the URL, for example inserting some really disgusting site.

If your friend knows something about computer security, this won't work because he or she might be using a relatively safe browser such as Mozilla (free from https://www.mozilla.org/. You can defend against the Javascript attack by disabling it on your browser.

You can make your browsers much safer by disabling not only Javascript but all active scripting. To turn off active scripting (Javascript, ActiveX and Java) in IE 6:

Click Tools --> Internet Options and choose the Advanced tab. Scroll down the list of radio buttons to Microsoft VM and uncheck all of them.

Next choose the Security tab. At the very top you will see the ActiveX controls and plug-ins. Click the "prompt" radio buttons for all of them. This will give you a chance to see whether an ActiveX program is the culprit.

Continue scrolling down the radio buttons to Java permissions. Unclick the Java radio button.

To turn off active scripting in Mozilla:

Click edit --> Preferences--> Advanced and unclick the Java radio button.

Then click Scripts & Plugins and disable Javascript.

* How to send an email attachment that tricks someone who uses Internet Explorer into thinking you defaced the CIA web site.

If you don't have a web site of your own, here's another way to fake a URL. Send this web page code via an attachment to email. Here's how to do it. In Windows, click Start --> All Programs --> Accessories --> Notepad. Cut and paste the code into Notepad, then save it as hack.htm. Then attach this file to an email with a charming invitation to view your dastardly defacement of the CIA web page. When the reader clicks on the attachment, it will bring up the default browser, usually IE. By clicking on the button that the browser shows, it will display http://www.cia.gov in the location window, but it will really be at Happyhacker.org (or whatever awful web site you picked).

Is it possible to put the button hack into the body text of an email? Yes, but it doesn't seem to work there. I've tested this exploit against both Eudora 6.0.1 and Outlook Express 6.0. When I coded the exploit into the message body, it displayed the button, but clicking on it doesn't do anything. However, keep tuned, there might be a way to do this. If you would like to test new exploits, see the Uberhacker bonus section below for help on how to embed interesting code into email.

GaNt points out that his Javascript above can be inserted into an email by making a web site and then cutting and pasting it into Outlook. I found that sometimes this trick doesn't seem to work right away, but there is another trick. If your code just looks like code in your email that you are sending, email it to yourself. Oftentimes it will be working properly when you receive it. Then use the redirect or forward command to send it on to someone else.

You can get punched in the nose warning: Many antivirus programs will block email with spoofed URLs. Whomever you send it to might accuse you of trying to infect him or her with a virus, because these antivirus programs call *everything* a virus! To evade antivirus programs, try sending an attachment that is zipped and passworded. Without the password the antivirus program can't scan for a spoofed URL.