TUCoPS :: Windows :: hack3840.htm

Status bar exploit hides spoofed URLs Eudora, possibly other e-mail clients
Status bar exploit hides spoofed URLs Eudora, possibly other e-mail clients

Eudora (as well as, possibly, other e-mail clients) is susceptible to an 
exploit which can be used to conceal a fraudulent URL. In a fraudulent 
("phishing") spam I received this morning, the sender inserted a large 
number of character entities (in this case, spaces, coded as  ) into 
the middle of a URL to force the remainder off the right side of the 
status bar, hiding the true destination:

href="http://www.e-gold.com 
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
@egegold.com/"> lang=EN-US 
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert 
When the mouse pointer is passed over the URL, the status bar at the bottom of the screen shows http://www.egold.com and does not reveal the spoofed URL. One must view the message source to see the actual URL. This technique is known to work on some browsers, but this is the first time I've seen it used to spoof e-mail clients. I am told that if the URL gets much longer, recent versions of Eudora will overflow a buffer in a way that is exploitable by malware. This particular phishing expedition doesn't seem to take advantage of that vulnerability, hoever. --Brett Glass

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH