There is a current bug in IE that will allow someone to send you a link
that, when clicked, appears in your browser URL bar as one site but brings
up a different one. Read the article here... http://www.eweek.com/print_article/0,3048,a=114456,00.asp
Since this is such a nasty bug with severe implications for phishers, I
have clipped the relevant portion of the text below...
In addition, there's is a particular problem in Internet Explorer which
allows a malicious coder to
make it appear as if the user is viewing a different Web site than they
actually are viewing.
The bug involved the use of a feature of Uniform Resource Identifiers (browser
addresses) that is more often abused than used legitimately used: the '@'
When an '@' is part of
the domain in a Web address, the browser treats the string to the left
of it as a user name to fill in any userid prompts, and everything on the
right side as the domain name. This is perfectly legitimate syntax. Click
for the actual standard document about URIs.
Malicious coders, such
as phishers, often will use this technique to obscure the actual address
of the site they send you to. For example, they might send you a message
that appears to be from Paypal and include a link that looks something
http://firstname.lastname@example.org/accounts/validate.htm (The IP address
I used is illegal for the same reason they use 555 phone numbers on TV
Notice, the numeric string
to the right of the '@' mark. This link will not take you to www.paypal.com,
but to 64.225.264.128. But most unsophisticated users won't notice the
difference. Still, all of this monkey business is perfectly legal (if immoral)
under the URI standard.
The latest bug adds a twist:
If you put ASCII 00 and 01 characters (designated as %00%01 in the spec.)
just prior to the '@' character, then Internet Explorer won't display the
just the %01 character and also decode the string with the
So what does it actually
look like? Try pressing the button below. In the Status bar, the link appears
to take you to the White House site, but it actually takes you to the latest
column of one of our eWEEK columnists.
The actual link was: http://email@example.com/article2/0,4149,1407901,00.asp
The applications for phishing
attacks are pretty self-explanatory. The viewer will think they're on www.paypal.com,
or whatever, but they will actually be who-knows-where.
There are many variations
of this particular scheme, and surprisingly some of them partially work
on Mozilla as well.
The anchor link version
of this vulnerability also results in the partial, incorrect address being
displayed in the status line as the user hovers the mouse over the link.
Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial
address in the status line, although they displayed the full address in
the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being
one of worst programs ever written, it handled this situation properly,
displaying the full URL in the address and status lines.
There is also the issue
of HTML e-mail. If an HTML message is sent with one of these links, could
the user be misled to the wrong site?
When you click on the link
in a message in Outlook 2002 it opens a browser window with the correct
address, and it even strips out what was to the left of the '@.' Ironically,
Outlook Express 6 takes you to the site on the left side of the
'@.' So in the above example, surprise, it actually takes you to www.whitehouse.gov.
Still, if you're reasonably
skeptical of what you get in the mail and take reasonable precautions,
you're probably safe from both of these problems. Unfortunately, not everyone
is so careful.
So expect to read on these
pages soon about the poor folks who credulously clicked away and got taken.
It's like watching an accident happen and you're powerless to stop it.
Just be careful about where you go in that browser.