Beware links in sheep’s clothing

Public service announcement follows:

A new exploit in Internet Explorer has been identified, where it’s possible for a URL to appear to go to one site, but in fact directs you to another. The chicanery is very difficult to detect.

For example, this link to Amazon.com actually sends you to Barnes and Noble, instead. It’s easy to be fooled by this, because the status bar (when you hover over the link) and address bar (after you follow the link) still read “www.amazon.com”.

Of course, it’s obvious in this case you’re not actually seeing amazon.com. The danger here is that a link in an HTML email may appear to send you a valid site, but which is in fact a clever near-identical spoof designed to capture sensitive information (credit card numbers, for example). Spoofs like this (e.g. redirecting to convincing-looking but fake Paypal sites) have existed for a while, but they’ve been relatively easy to detect by looking at the address bar. With this exploit it’s hard to tell you’ve been duped.

Microsoft doesn’t appear to be taking this very seriously. I do, though.

Be careful out there, kids, especially when clicking on links within emails from people you don’t know.

5 thoughts on “Beware links in sheep’s clothing”

  1. interesting, but while the null may cause the status bar to display the incorrect url (incomplete, actually) that’s not what’s causing the link to go to barnes and noble. it’s the @. most people aren’t aware that you can include a username and password in a url, like this:

    http://username:[email protected]

    what’s happening in the example above is that “www.amazon.com%00″ is being sent as a username to barnesandnoble.com. so you could do the same thing in any modern browser like this:

    <a href=”http://[email protected]” onmouseover=”window.status=’http://www.amazon.com'”>Amazon.com</a>

  2. That’s correct. Other browsers will still display the full http://[email protected] URL in the address bar though, so with IE the illusion in complete. Plenty of people have been fooled like this in the past though, either because the address bar isn’t displayed, or they don’t look at it, or understand the ramifications of the @ sign in the URL. But I do check the address bar, and that’s why this new trick is a worry for me personally.

Comments are closed.