"Shadow Link" - A harmless example but a dangerous technique!

[TaoPhoenix]

Okay this one is a little scary to me.

Here's the awards page for a property company.

http://www.halstead....ards-and-recognition
Take a look at those "Leading Real Estate Companies of the World" links.

When you click on one, it goes to some page that talks about an affiliation between a broker network and the company. But if you copy and re-paste the address "http://www.leadingre.com/", it goes to a different site!

To me the "pasted version" is the "real site", and the other page is something on the broker's site. Fine. But don't re-use the link address to create some kind of "shadow page"!
 

What I can't figure out is where the redirect script/whatever is coming from!

To me that's dangerous because the method can be used for MUCH more nasty uses! We all are pretty good at defending Phishing attacks by looking at the address it points to like "www.sdgfdfgd.com/BOA-attack". But on that awards page, the link points to the "right" address!

So I'd appreciate some advice on how to stop that "shadow page" because that could be the mother of all phishing weapons. It seems to work cross browser and even with javascript off!

I'd also like to know the true address of the "shadow page".

To make it worse, the "favicon" changes! (I think that's the word.) The shadow page is clearly on the broker's site because it has their favicon. But when you re-paste the address in the title bar, it changes back to the "national" one! That's just nasty!

I am sending them a version of this note.

[app103]

Both pages are on the same site. What they are probably doing is basing the content that is shown to you, on the referrer. Visit the site by clicking the link on the first site and you will get shown certain content, but without a referrer (which is what happens when you type or paste the URL into your browser's address bar) you end up seeing the default content.

This is done at the server level on the 2nd site. This is not a type of URL spoofing. It can not be used to make you think you are on your bank's site by changing the URL shown in the address bar.

But your bank can use this method to choose to show you different content if you click a link to their site, coming from one of their affiliates, as opposed to typing in the URL.

If you want to block this type of behavior, you need to block sending referrer information from your browser. This may have some unwanted bad side effects, though. Some sites will not give you what you want, without the referrer being on their approved list, such as being able to download files from some sites, without the referrer being their own download page.

[TaoPhoenix]

Interesting explanation App.

"This is not a type of URL spoofing. It can not be used to make you think you are on your bank's site by changing the URL shown in the address bar. "

I have to take your word for it I guess because you're that scary taskbar girl, but I still don't fully believe it as a technique it can't be combined with another trick to make you think you're on your bank's site. I forget which of my notes has which info (this one and the one to the company) but in the example I used somewhere, if a page can be rebuilt that much, and the hacker sends you a link with "a referrer", why wouldn't it look like a bank site?

I don't care if they track my referrer for their metrics, but to have completely different content from the same web address really scares me!