I remember reading about an attack where the "location bar" in a user's browser displays a valid URL (e.g. https://www.paypal.com/), but the traffic is really being directed to or intercepted by an attacker. How can this be accomplished, and what can end-users do to ensure a URL they are visiting is what it claims to be?
Edit: I don't remember if the attack was talking about HTTP or HTTPS, so my question applies to both.
Performing an attack on an https:// address without change of URL would require :
To ensure not being hijacked this way, always be certain that your browser is up to date and ensure certificates are up to date too. Certificate can be rendered invalid and the CRL (Certificate Revocation List) should be checked whenever you have to use a certificate (via OCSP -Online Certificate Status Protocol - or so). I do not remember how browsers handle this type of request.
Do you mean where the attacker registers a domain that looks similar to a "real" one, but using non-English (or rather, non-Latin) characters?
See
If the attacker can do man-in-the-middle (e.g. wireless or if he is able to get anywhere in between you and the site you want to visit) then they can spoof DNS, use something like sslstrip (http://www.thoughtcrime.org/software/sslstrip/) to trick you, or really do any content manipulation they want.
For HTTPS, check out: Can a HTTPS connection be compromised because of a rogue DNS server
There is also the family of attacks where the browser correctly shows whatever the attacker wants it to show, but the traffic still goes to the malicious website, either through a simple DNS hijacking (where the browser has the correct URL but it resolves to an incorrect IP address) or low level hijacking of browser code to separate the displayed information from that in the application itself.
