[Mimedefang] [OT] Fw: Interesting Phishing Trick

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Mar 9 21:06:22 EST 2006

Kevin A. McGrail wrote:
> Philip:
> This rule won't hit on the phishing email I was discussing.  It doesn't use 
> a mouseover.  It uses a nested a tag to hide to real link.  Thanks to 
> Kenneth Porter, here's my original post:
> http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749


I get that.

The larger point that I was trying to make (and I could have
done a better job of connecting the dots) is this:

* sometimes someone will send out HTML that will look like:

  <a href="http://www.foo.com/...">http://www.bar.com/...</a>

  where you think you're going to www.bar.com, but you're
  actually going to www.foo.com.

* Some browsers will display (below in the status bar) the real
  URL contents when you put your mouse over the anchor in the
  status bar (as visual confirmation of where you're about to go).

* the connection I was trying to make is that if the attributes
  of the <a> contain:

     onMouseOver="window.status=' ...

  you can override what the contents of the status bar end up
  looking like, thus circumventing the limited security that
  browsers provide (in the form of visual feedback above).

Hope this is more clear.


More information about the MIMEDefang mailing list