Internet Exploiter
UO!InternetExploiter!HTML
03 February 2004
Description
Submitted by .
Example
<a href=http://www.microsoft.com =01 %01 %00@66.235.193.39/~cnnurgen/microsoft/downloads/details.html>
www.microsoft.com/downloads/</a>
Notes:
1. This looks like: www.microsoft.com/downloads
2. Notice the use of =01 quoted-printable encoding to insert a non-printable ASCII character SOH (01) inside the URL.
3. Notice the use of % encoding to also insert the non-printable ASCII characters 01 and 00 (the latter being a standard string termination in C designed to fool filters that 'printf' the URL).
4. Notice the use of a URL username/password combination (cf Enigma/Bogus Login tricks).
5. This appears to take the user to www.microsoft.com/downloads, but actually goes to the site at 66.235.193.39.
6. In Microsoft Internet Explorer both the text highlighted in the URL and the URL shown in the status bar indicate that the URL as on microsoft.com.
7. Mozilla Firebird is also fooled by this trick, it terminates the URL at the SOH character.
Another variant has appeared in phishing emails. The pipe character | can be used in a URL. Under Internet Explorer the URL will not be displayed past the pipe. This can be used to make a subdomain look like a top-level domain. In the following example, borrowed from Netcraft
http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
the link will appear as barclays.co.uk in Internet Explorer, but in fact goes to dvdlinKs.at.
A Flash In The Pan
Bogus Login
Enigma
Internet Exploiter
Phish Phorm
The tURLing test
You cannot be serious
See also
Spammers' Compendium
SPUTR
Resources
Poll
Have you ever actually read an End-User License Agreement?Leave a comment
View 4 comments
VB2008
VB2008 will take place 1-3 October 2008 at the Westin Ottawa, Canada.
Registration has opened; please check the call for papers.
Virus Bulletin currently has 132,945 registered users.

