# Mousing over a link to verify destination no longer safe



## dpeters11 (May 30, 2007)

I saw this retweeted by a well known security researcher, this page and the demo are safe.

It uses Javascript, it will show that it will take you to Paypal UK when you mouse over it, but in reality, you'll go somewhere else, in this case a different page on the original site.

This works in current versions of IE, Chrome and Firefox.

http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html


----------



## P Smith (Jul 25, 2002)

oh man! it's never ending hunt for fool users ...


----------



## dpeters11 (May 30, 2007)

Nope. Only safe thing to do really is to manually log into your account and check for anything there, or call a known number for them. These phishing emails are getting more and more sophisticated. They even use two factor authentication you've set up with the real site.


----------



## P Smith (Jul 25, 2002)

up to the post, I was think I'm safe by hovering a mouse ...


----------



## James Long (Apr 17, 2003)

Right click - open in new tab - takes me to the right site in Firefox. That is the way I normally open links anyways.

The second half of the problem, PayPal redirecting to unusual URLs, makes this exploit possible. Otherwise looking at the URL after clicking will show that you're not in the right place.

The initial scam page needs to be good as well. To be scammed I would need a good reason to click on that link in the first place.


----------



## P Smith (Jul 25, 2002)

James Long said:


> Right click - open in new tab - takes me to the right site in Firefox. That is the way I normally open links anyways.


That's simplest way to install malicious SW in a split of a second ...


----------



## The Merg (Jun 24, 2007)

Good info. Thanks.

- Merg


----------



## dpeters11 (May 30, 2007)

Thinking about it, I think it would be more of an issue with webmail. Email clients shouldn't do Javascript, especially by default.


----------



## wilbur_the_goose (Aug 16, 2006)

Yep - safest way to go is to type the desired URL yourself.


----------



## Dude111 (Aug 6, 2010)

Im on IE6 and that doesnt work... TOOK ME TO PAYPAL!!!! (Like the demo link said it should)

EDIT:

I enabled scripts and it works (So i figured)


EDIT2:

If i put the domain into my restricted zone IT DOES NOT WORK! (scripts enabled)


----------



## dpeters11 (May 30, 2007)

I'm assuming its pointless to try to convince you not to use ie6, right? Or at least by summer 2014...

It certainly makes sense for it to not work in the restricted zone. But in my opinion, there are worse dangers using 6 than that script working or not.


----------



## Dude111 (Aug 6, 2010)

Your listening to all the Mainstream BS my friend.....

IE6 is just as good as any newer OVER-BLOATED browser! (As long as you have your security zone set right)

IE6 is not spying on the end user... YOU CANT SAY THAT *FOR SURE* ABOUT THESE NEWER BROWSERS!


----------



## wilbur_the_goose (Aug 16, 2006)

Dude - IE6 is a swiss cheese browser, and you're putting yourself at risk. Unfortunately, you could be putting the rest of us at risk too by allowing your PC to become part of a botnet that could be used to commit a DDoS attack.


----------



## dpeters11 (May 30, 2007)

Plus, IE 6 means XP. It will become more dangerous to be on XP after it no longer receives any updates. It's not BS. Unfortunately, though I'm not nearly at Wilbur_The_Goose's level, I really do know how these things actually work. Not liking Windows 8 is one thing, but Windows 7 is a very fine OS, until around February 11, 2020.

But, not everyone can be convinced of the truth


----------



## carlsbad_bolt_fan (May 18, 2004)

wilbur_the_goose said:


> Dude - IE6 is a swiss cheese browser, and you're putting yourself at risk. Unfortunately, you could be putting the rest of us at risk too by allowing your PC to become part of a botnet that could be used to commit a DDoS attack.


The goose is golden with this advice.


----------



## SayWhat? (Jun 7, 2009)

Hovering is also why I won't use URL shorteners or click on links through them I want to see the underlying URL, not a Libyan domain name (.ly) followed by random characters.

Nor will I click on links from this board due to the Vigilink scrambling of the URLs.


----------



## dpeters11 (May 30, 2007)

Just for an FYI, add a + at he end of a bitly link, it will tell you where it goes, along with the statistics, like this.

Http://Bit.ly/dsxpcred+


----------



## James Long (Apr 17, 2003)

dpeters11 said:


> Just for an FYI, add a + at he end of a bitly link, it will tell you where it goes, along with the statistics, like this.
> 
> Http://Bit.ly/dsxpcred+


Which, of course, shows up as something like this in the mouseover:
http://apicdn.viglink.com/api/click?format=go&key=e652088f26975de9b83439c1dd935df0&loc=http%3A%2F%2Fwww.dbstalk.com%2Fshowthread.php%3Fp%3D3199001&out=Http%3A%2F%2FBit.ly%2Fdsxpcred%2B&ref=http%3A%2F%2Fwww.dbstalk.com%2Fusercp.php


----------



## Mark Holtz (Mar 23, 2002)

Dude111 said:


> IE6 is just as good as any newer OVER-BLOATED browser! (As long as you have your security zone set right)
> 
> IE6 is not spying on the end user... YOU CANT SAY THAT *FOR SURE* ABOUT THESE NEWER BROWSERS!


Internet Explorer 6 was released in August, 2001. FWIW: Firefox (then known as Phoenix) was released as 0.1 on September, 2002, with the 1.0 release on November, 2004. It's predecessor, Netscape, was around version 6. Chrome wasn't a twinkle in Google's eye, and Safari was still being worked on.

Anyone who has done anything beyond "bare bones" HTML code, and actually use features such as Javascript and CSS will quickly find out how well IE doesn't follow established standards to the point where web programmers had to put in kludges in to make the web page work with Internet Explorer 6. Personally, when I was doing web development, I found it much easier to do it in Firefox (because of the robust tools at the time), then adapt the code for other browsers (including the adaptions for IE) rather than develop on IE.

The biggest reason why IE6 still is around is that some companies have developed internal applications many years ago that are still being used, probably with the aid of Frontpage. These pages break even with Internet Explorer 7 (released in October, 2006 -- FIVE YEARS after IE6), and the developers have long moved on, yet the company doesn't want to spend the money on the replacement and the required training.

Thank goodness that IE6 will End-Of-Life next year.


----------



## SayWhat? (Jun 7, 2009)

Mark Holtz said:


> FWIW: Firefox (then known as Phoenix) was released as 0.1 on September, 2002, with the 1.0 release on November, 2004. It's predecessor, Netscape, was around version 6.
> 
> Thank goodness that IE6 will End-Of-Life next year.


Netscape and FF are distant cousins. Both were developed by the Mozilla Foundation, but were separate projects along with Thunderbird and several others. For some reason, they sold the Netscape name and package to AOL. From that point they continued to develop the full browser suite under the Mozilla name while developing Firefox as a stripped down, standalone project. That continues to this day with the full suite now renamed to SeaMonkey.

I thought IE6 was abandoned by MS years ago? There has been a big campaign on to kill it off once and for all.


----------



## wilbur_the_goose (Aug 16, 2006)

SayWhat - you're absolutely correct. Unfortunately, IE6 still has a significant foothold in Asia, especially China.










You can get an update graphic at http://www.ie6countdown.com/


----------



## dpeters11 (May 30, 2007)

Dude111;3198969 said:


> Your listening to all the Mainstream BS my friend.....
> 
> IE6 is just as good as any newer OVER-BLOATED browser! (As long as you have your security zone set right)
> 
> IE6 is not spying on the end user... YOU CANT SAY THAT FOR SURE ABOUT THESE NEWER BROWSERS!


And actually I think we can say that Firefox and Chromium are not spying on the end user (other than the normal cookie issue). They are open source. If they were, someone would have seen it in the source code by now and said something publicly. You can't say the same thing for IE6. It's closed source. Not that I think it does, I just think its a bad browser. Firefox is also popular with security professionals.

And correct. Someone even held a "funeral" for IE6. Microsoft sent flowers. Unfortunately, just because XP and IE6 will end of life next year, it won't necessarily change those that use it, until their PC does and they get one with a newer OS.

Of course in China, most of the installations are likely pirated.


----------



## wilbur_the_goose (Aug 16, 2006)

China? Pirated? Tell me it's not true!


----------



## houskamp (Sep 14, 2006)

Ford's site (the one for employees) just in the last couple months finally list ie8 as "supported".. last year it was still 6..


----------



## dpeters11 (May 30, 2007)

More are finally moving. A few may be going too far. One site we use started saying "modern web browser required". Only supported version of IE is 10. We have installed Chrome for those users.

We're actually still moving users off XP now, though we left IE 6 a long time ago.


----------

