Nasty little IE bug you need to be aware of...
There is a current bug in IE that will allow someone to send you a link that, when clicked, appears in your browser URL bar as one site but brings up a different one. Read the article here... http://www.eweek.com/print_article/0,3048,a=114456,00.asp
Since this is such a nasty bug with severe implications for phishers, I have clipped the relevant portion of the text below...
In addition, there's is a particular problem in Internet Explorer which allows a malicious coder to make it appear as if the user is viewing a different Web site than they actually are viewing. The bug involved the use of a feature of Uniform Resource Identifiers (browser addresses) that is more often abused than used legitimately used: the '@' character.
When an '@' is part of the domain in a Web address, the browser treats the string to the left of it as a user name to fill in any userid prompts, and everything on the right side as the domain name. This is perfectly legitimate syntax. Click here for the actual standard document about URIs.
Malicious coders, such
as phishers, often will use this technique to obscure the actual address
of the site they send you to. For example, they might send you a message
that appears to be from Paypal and include a link that looks something
http://firstname.lastname@example.org/accounts/validate.htm (The IP address I used is illegal for the same reason they use 555 phone numbers on TV shows.)
Notice, the numeric string to the right of the '@' mark. This link will not take you to www.paypal.com, but to 64.225.264.128. But most unsophisticated users won't notice the difference. Still, all of this monkey business is perfectly legal (if immoral) under the URI standard.
So what does it actually look like? Try pressing the button below. In the Status bar, the link appears to take you to the White House site, but it actually takes you to the latest column of one of our eWEEK columnists.
The actual link was: http://email@example.com/article2/0,4149,1407901,00.asp
The applications for phishing attacks are pretty self-explanatory. The viewer will think they're on www.paypal.com, or whatever, but they will actually be who-knows-where.
There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well.
The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines.
There is also the issue of HTML e-mail. If an HTML message is sent with one of these links, could the user be misled to the wrong site?
When you click on the link in a message in Outlook 2002 it opens a browser window with the correct address, and it even strips out what was to the left of the '@.' Ironically, Outlook Express 6 takes you to the site on the left side of the '@.' So in the above example, surprise, it actually takes you to www.whitehouse.gov.
Still, if you're reasonably skeptical of what you get in the mail and take reasonable precautions, you're probably safe from both of these problems. Unfortunately, not everyone is so careful.
So expect to read on these pages soon about the poor folks who credulously clicked away and got taken. It's like watching an accident happen and you're powerless to stop it. Just be careful about where you go in that browser.