The Invisible Threat: How Malicious URLs Hide in Plain Sight
In the ongoing battle for cybersecurity, one of the most effective weapons for cybercriminals is deception. We’re often told to “check the link before you click,” but what if the link itself is lying to you? A sophisticated phishing technique known as the BiDi Swap attack does just that, using a quirk in how web browsers render text to create URLs that appear safe but lead to malicious destinations.
This attack exploits the very systems designed to make the web accessible to a global audience, turning a helpful feature into a dangerous vulnerability. Understanding how it works is the first step toward protecting yourself.
What is Bidirectional (BiDi) Text?
To understand the attack, we first need to understand its foundation: bidirectional text. Most languages, like English, are written and read from Left-to-Right (LTR). However, many other languages, including Arabic, Hebrew, and Persian, are read from Right-to-Left (RTL).
To accommodate both on a single page, computers use a set of rules encoded in Unicode. These rules allow a browser to display, for example, an English sentence followed by an Arabic phrase in the correct order. Special, invisible Unicode characters act as commands, telling the browser to switch the direction of the text.
While essential for a multilingual internet, these control characters can be weaponized.
The BiDi Swap Attack Explained
The BiDi Swap attack leverages a specific Unicode character called the Right-to-Left Override (RLO). When a browser encounters this invisible character in a string of text, it is forced to display all subsequent characters in a right-to-left order, regardless of what they are.
This is where the deception happens. An attacker can craft a URL that contains this hidden RLO character to completely reverse the appearance of a portion of the link.
Consider this example of a malicious URL:
https://www.trusted-bank.com/pdf.login.html
The symbol represents the invisible RLO character. To a computer, the link points to a file named login.html on a malicious domain that cleverly includes “pdf” in its name.
However, when a web browser or email client renders this link for a user to see, it follows the RLO command and reverses the text after it. The user sees this:
https://www.trusted-bank.com/lmth.nigol.fdp
While that looks jumbled, a more sophisticated attacker can craft it perfectly. Let’s look at a more dangerous example:
The real link: https://example.com/moc.evil-site/login
The invisible character is placed: https://example.com/moc.evil-site/login
What you see displayed: https://example.com/login/etis-live.com
The link you see is not the link you click. You believe you are navigating to a “login” folder on the safe example.com, but you are actually being sent to the malicious domain evil-site.com. This tactic is incredibly effective for harvesting credentials or delivering malware because it appears to originate from a trusted source.
Why This Phishing Tactic is So Dangerous
The BiDi Swap attack is particularly insidious because it circumvents the standard advice given to users.
- It preys on trust. The visible part of the domain name is legitimate, lulling the user into a false sense of security.
- It bypasses casual inspection. Even a cautious user who glances at the URL could be easily fooled, as the link appears to be correct.
- It can be used anywhere text is displayed. These deceptive links can be embedded in emails, text messages, social media posts, and forum comments.
How to Protect Yourself from Deceptive URLs
While the attack is clever, you are not defenseless. Modern browsers have implemented some safeguards, but ultimate security comes from user vigilance and good habits.
Hover Before You Click. This is the most effective defense. When you move your mouse cursor over a link (without clicking), your browser will display the true, decoded URL destination in the bottom-left corner of the window. This status bar display almost always reveals the link’s actual structure, ignoring the deceptive rendering.
Manually Type Critical URLs. When it comes to sensitive websites like your bank, email, or government services, avoid using links from emails or messages. Open a new browser tab and type the address in manually to ensure you are going to the right place.
Be Wary of Mismatched Text. If the link text says one thing (e.g., “View your secure document”) but the URL displayed on hover looks suspicious or different, do not click it. Attackers often use convincing anchor text to hide the malicious link.
Use a Password Manager and Multi-Factor Authentication (MFA). Even if you are tricked into visiting a malicious site, a good password manager may not auto-fill your credentials on a domain it doesn’t recognize. Furthermore, enabling MFA provides a critical second layer of defense, preventing a stolen password from being enough to compromise your account.
Keep Your Browser and Antivirus Software Updated. Security teams for major browsers are aware of these threats and continuously release patches to better detect and warn users about potentially malicious URLs, such as those using Punycode or mixed scripts.
By staying informed and practicing safe browsing habits, you can spot the deception and ensure that the links you click are taking you exactly where you expect to go.
Source: https://www.bleepingcomputer.com/news/security/bidi-swap-the-bidirectional-text-trick-that-makes-fake-urls-look-real/
