There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well. The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines.When you click on the link in a message in Outlook 2002 it opens a browser window with the correct address, and it even strips out what was to the left of the @. Ironically, Outlook Express 6 takes you to the site on the left side of the @. So in the above example, surprise, it actually takes you to www.whitehouse.gov. Still, if youre reasonably skeptical of what you get in the mail and take reasonable precautions, youre probably safe from both of these problems. Unfortunately, not everyone is so careful. So expect to read on these pages soon about the poor folks who credulously clicked away and got taken. Its like watching an accident happen and youre powerless to stop it. Just be careful about where you go in that browser. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
There is also the issue of HTML e-mail. If an HTML message is sent with one of these links, could the user be misled to the wrong site?