Ferreting out a fake
Learn to detect phishing scams

eBay, PayPal, and other credit card scams, con'd (page 2)
What we've learned so far are just the basics needed to understand what these scammers are doing. Now we're going to learn how to detect what's really hiding behind the displayed link text.

Once again, let's use our faked eBay link as an example:

http://www.ebay.com

Position your mouse over the "eBay" link shown above. Now, with the mouse still over the link, look in the bottom left corner of your brower. You should see the actual target link displayed there, as shown in the image below:

If you weren't able to see the target link appear, make sure you have the status bar enabled. To do so, select View | Status bar from the Internet Explorer menu and try hovering over the link again. Alternatively, you can right-click the link and select Properties from the right-click menu. A display box will appear, showing the target address (URL) that the link text is referencing.

But wait! What you've learned so far are just the very basics. The folks behind these scams are far more sophisticated. They not only use fake display text, they munge the actual target link text so that it does seem to point to a valid site. How do they do this?

HTML can best be described as multi-lingual. That is to say, it will take commands in a number of "languages". Bad people exploit this ability. For example, let's look at the characters //. A normal URL might appear at http://www.uglyemail.com. But there's another way to render //. The browser will interpret %2F%2F as // when it finds them in a URL. Let's take a look at the following URL:

<a href="http://scgi.ebay.com@%31%32%37%2E%30%2E%30%2E%30:%34%39%30%31">https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?VerifyInformation</a>