22 Feb
2006
22 Feb
'06
3:34 p.m.
Thunderbird will display the URL of any link you hover over in an
email... so the email will say "www.ebay.com" and the actual displayed
link during the hover is "201.22.98.34/incoming/.ebay.com". I've never
been phished.
One phishing email had what looked like a link in the email and I hovered
over it and it put http://www.ebay.com or the link in the status bar. I
wanted to right click and bring up the properties of the link to copy it for
further inspection as I susspected a phishing attack. Then I got the image
properties. I viewed the page source and I realised the email was an image,
and the clear dick running the attack had put an image map at the click
point of the URL link looking part of the image. The image map ref was a
http://x.x.x.x/blah type link to the no doubt phishing site, and the
www.ebay.com URL was a ref for the whole image. IE only showed the whole
image ref when hovered over, but would have run the image map ref when
clicked. The site would then only have needed to somehow cover its real
identity in the address bar when loaded and I would have been completely
fooled.
Very slick. I got lucky
David