[quote]I would like the URL in the address bar to stay the same to make it seem as though my visitors are seeing this site on my domain name but it has actually, sneakily redirected itself to my tumblr site.
I’ve googled and googled and can’t seem to find a way around this … but there must be?![/quote]
But see, if istealmoney.ru sent you an email pretending to be your bank and said “click here to update your account”, and you went to istealmoney.ru but the URL bar said yourSafeBank.com, that would totally break the interwebs.
So that’s why the “sneakily redirect” instructions aren’t on the web. One could probably hack a particular individual’s web browser to show the wrong URL, but there’s (luckily) no web way to do that.
This is for safety reasons. People should always be able to see which domain they are actually visiting.
What some phishers do instead is something like,
if they own some very short-named spammy site like fu.ru
and they wanted you to think you were at mySafeBank.com
then sometimes they’ll make a subdomain “mySafeBank-com”
so that the unwary and not careful surfer might see
mySafeBank-com.fu.ru
and not notice the real domain tacked on the end.
I’ve seen people do it with paypal in phishing emails I’ve gotten.
The iframe thing is a technique that’s also used in something called clickjacking, although usually with clickjacking the evildoer only makes the iframe as large as the image of the clickable whatever they hope the user clicks on.
Like, the safe-but-hacked page has a button like “log in” and the clickjacker, who has captured control of the once-safe page, has injected an iframe and positioned it to sit directly over that login button, invisibly. When the user clicks the button they see, they’re actually clicking on an iframe. This basically tricked a user into clicking a link to a malicious website. The malicious website can be styled to look like theSafeWebPage entirely, but luckily the malicious website cannot fake the URL.
So in your case, you’d have the iframe just loading the tumbler page and users would see and interact actually with the tumbler page. The “outside” of your page remains your original domain, so the URL is still of your domain.
However as this is a technique like “how do I remove my victim’s blood from the carpeting in my car’s trunk?”, googling for how to do this will likely take you to some darker areas of the interwebs.
I would recommend that you not do it. It’s kinda mean to your users. : )