![[=||=]](flasher8.gif)
Where do the following links go, my anti-spam page or somewhere else? Try to figure them out without following the links or viewing the HTML source code.
Instead of using a real bank logo for the graphical examples below, I am using a fictional logo for Wong's Bait Shop, Tattoo Parlour, Chinese Food Emporium and Savings & Loan (shortened to WBSSL) (free egg roll or can of worms with every new account; currencies supported are Quatloos, Galactic Credits or Compact Space Credits; Terran currencies not supported; privacy enthusiasts ask about their disinterest-bearing accounts):
The first link:
Antispam.html
The second link using an imagemap:
The third link using an imagemap nested in a hyperlink:
The fourth link using JavaScript event trapping:
Antispam.html
The answer is near the bottom of this page.
Find more articles about phishing in the news with Google News Search.
The first and second go to my anti-virus page, the third goes to my games page if you are using a graphical browswer. (Lynx browser users can go to either of them.) The fourth goes to a page about the ANSI Standard sticker on my toilet. Were you deceived by the third or fourth? If so, you are not alone. Thousands of people follow a similar link in email thinking it points to their bank's web site only to end up at a fake copy of their bank's site that asks for account information. Some fall for the fake and fill in the form. They end up with their bank accounts being emptied by the faker.
Below is the actual HTML used. The first link is a plain hyperlink. The second link uses an imagemap. The third example puts an imagemap into the label of a hyperlink. Some browsers (Internet Explorer) in the third case will report the URL in the hyperlink as the destination but will go to the URL in the imagemap instead. The fourth uses onMouseOver and onMouseOut JavaScript events to change the browser status line. Not all browsers will be fooled by this either. (Internet Explorer users get the wrong URL (are you starting to notice a pattern here?) in the status line, Firefox users get nothing but "done" (as though there was no hyperlink there at all) and Opera users get the correct URL.)
<p> The first link: <a href="Antispam.html">Antispam.html</a></p> <p> The second link using an imagemap: <img src="wbssl.gif" alt="Antispam.html" USEMAP="#phish1"> <map name="phish1"> <area shape="RECT" coords="0,0,228,218" href="Antispam.html"> </map></p> <p> The third link using an imagemap: <a href="Antispam.html"> <img src="wbssl.gif" alt="Antispam.html" USEMAP="#phish2"> <map name="phish2"> <area shape="RECT" coords="0,0,228,218" href="games.html"> </map> </a></p> <p> The fourth link: <a href="toilet.html" onMouseover="window.status='Antispam.html';return true" onMouseOut="window.status=''; return true">Antispam.html</a> </p>
"Phishers" use even sneakier tactics to trick people. Many involve JavaScript to change what the navigation bar and title bar display and some go so far as to overlap the navigation bar with a fake one. Others use JavaScript to redirect you to the real bank site after invoking a popup form on their site to cover part of the real site's page. Entering data into the form in the popup sends it to the crook and not your bank. I don't know enough JavaScript to describe the techniques fully but "Spamless", the resident JavaScript expert in the news.admin.net-abuse.email newsgroup, has posted some very detailed analyses of many of the phisher's tactics.
We now return you to the anti-phishing resources above.
Webmaster: Norman De Forest,
<af380@chebucto.ns.ca>
Note: If you know of the website of a major Canadian bank or credit
union I have left out, feel free to send me their web site address.
Any foreign banks with evidence of a presence in Canada is also OK.
However, this page is not intended for linking to every mortgage
lender on the planet so don't bother asking me for a "link exchange",
especially if you are representing a mortgage company in the U.S.A. or the
U.K. (or some other country) that I have never heard of before. I will
consider any such requests to be spam.