[SURBL-Discuss] Fw: Interesting Phishing Trick

Jeff Chan jeffc at surbl.org
Wed Mar 8 23:24:39 CET 2006

On Wednesday, March 8, 2006, 9:14:57 AM, Kevin McGrail wrote:
> A co-worker of mine just pointed this out to me today.  He tested it in
> Thunderbird and I tested it in OE6.  It warrants serious attention.

> Ignoring the munged part, this would trick a very savvy internet user that
> allows HTML email, clicks on a link and doesn't check the browser address
> line.

> Any input on rules or techniques to block this nasty fellow?

> Sincerely,

>> I just received a phishing e-mail claiming to be from eBay.  All of the
>> links LOOKED legit, including what displayed in the status bar when you
>> moused over a link.  I knew this was not legit, so I looked in the
>> source code and found this:
>> <div><a
> href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p
> artnerId=2&siteid=0"><table><caption><a
> href=""><u style="cursor: pointer"><font
color="#008000">>eBay Update
> Center</font></u></a></caption></table></a></div>
>> Note the double use of an a href tag, one inside a caption tag, one
> outside.  The outside a href displays, while the a href within the caption
> tag is what would actually be triggered.
>> Interesting way of masking the true URL.

It's an interesting use, but I don't believe it would confuse
SpamAssassin, etc.  The second URI should be visible enough to be
checked, and I added the IP to ph.surbl.org.

Please report phishing spams to:

  spam at mailpolice. com

Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list