This phishing technique is new to me. Nowadays you get lots of scams in which they appear to have printed the URL in plain text, but hovering the mouse over it shows that it goes to a completely different URL. However, when I hovered the mouse over this one, nothing appeared at all; and when I looked at the code, it turns out that the text of the URL was actually the input button for a form which sent you off to the crooks’ site. This is clever, or at least ingenious. But I can’t work out what the repeated “3D”s do in the code below. Does anyone know?
<A href=3D"https://secure.ebay.com/eBayISAPI.dll? action=3Dverify&id=3D0062665=4&user=3D"> <FORM action= 3Dhttp://0040246.netsolhost.com/SAW-CGI/saw-cgi/login.html> <INPUT style=3D"BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR:blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline" type=3Dsubmit value=3Dhttps://secure.ebay.com/eBayISAPI.dll? action=3Dverify&id=3D0062665=4&user=3D> </A>
That’s the Ascii Hex code for an equals sign. As it only appears after a properly rendered equals sign, I’ll bet it’s just an artifact of a buggy script somewhere along the line.
As Ben said, there’s an extra level of encoding that’s clearly not intended (the < & > didn’t really want to be encoded either). I cleaned it up a little to get a better look, and it’s certainly trying to be clever.
The “style” attribute appears to be trying to make the input button look like a normal link (blue text, underlined, invisible button, but it’s not honored by Safari (I still see a button).
A form inside an a tag is illegal, but they’re relying on browsers to be tolerant.
I suppose also that they want the browser to show the enclosing link, while actually fetching the form link. Again, Safari doesn’t do the former, but I imagine it does the latter.
I notice that they don’t close the form either. But Opera, which is normally strict, displays this.
And I thought Style rules had to be enclosed in brackets.
I suppose I had better take this entry down in a while, before google gets the wrong idea about me.