From kmcgrail@pccc.com Wed Mar  8 18:15:13 2006
From: "Kevin A. McGrail" <kmcgrail@pccc.com>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Fw: Interesting Phishing Trick
Date: Wed, 08 Mar 2006 12:14:57 -0500
Message-ID: <022a01c642d3$d558ff30$cc0a0a0a@thoughtworthy.internal>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4013222209538775294=="

--===============4013222209538775294==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

A co-worker of mine just pointed this out to me today.  He tested it in
Thunderbird and I tested it in OE6.  It warrants serious attention.

Ignoring the munged part, this would trick a very savvy internet user that
allows HTML email, clicks on a link and doesn't check the browser address
line.

Any input on rules or techniques to block this nasty fellow?

Sincerely,
KAM

> I just received a phishing e-mail claiming to be from eBay.  All of the
> links LOOKED legit, including what displayed in the status bar when you
> moused over a link.  I knew this was not legit, so I looked in the
> source code and found this:
>
> <div><a
href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p
artnerId=2&siteid=0"><table><caption><a
href="http://211.254.130.108-MUNGED/...../"><u style="cursor: pointer"><font
color="#008000">eBay Update
Center</font></u></a></caption></table></a></div>
>
> Note the double use of an a href tag, one inside a caption tag, one
outside.  The outside a href displays, while the a href within the caption
tag is what would actually be triggered.
> Interesting way of masking the true URL.


--===============4013222209538775294==--