On Wednesday 08 March 2006 12:14, Kevin A. McGrail wrote: >A co-worker of mine just pointed this out to me today. He tested it > in Thunderbird and I tested it in OE6. It warrants serious > attention. > >Ignoring the munged part, this would trick a very savvy internet user > that allows HTML email, clicks on a link and doesn't check the > browser address line. > >Any input on rules or techniques to block this nasty fellow? > >Sincerely, >KAM > >> I just received a phishing e-mail claiming to be from eBay. All of >> the links LOOKED legit, including what displayed in the status bar >> when you moused over a link. I knew this was not legit, so I looked >> in the source code and found this: >> >> <div><a > >href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verif >y&co_p artnerId=2&siteid=0"><table><caption><a >href="http://211.254.130.108-MUNGED/...../";><u style="cursor: > pointer"><font color="#008000">eBay Update >Center</font></u></a></caption></table></a></div> > >> Note the double use of an a href tag, one inside a caption tag, one > >outside. The outside a href displays, while the a href within the > caption tag is what would actually be triggered. > >> Interesting way of masking the true URL.
Its an elderly method in fact, in common useage for 2-3 years at least. The inside, bogus address will show in most browsers and email agents if you hover the mouse over it. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
