Wow it’s that easy?
Damn even I could manage that based on my HTML 3.2 leet knowledge from way back. :)
The “From” address isn’t trustworthy at all in emails – anyone can put whatever they want in there. You’d have to look at the “Received:” header lines via the Show Original option to see where the email really came from.
It’s also easy to make the displayed link text different from where the link would actually go, with HTML (and even the hover text too, with some Javascript, though I think that’s mainly on phishing sites and not email).
You fail at rick-rolling.
IE shows the correct URL if you mouse over it.
There are more complicated methods that’ll pass the mouse over test (unlike Aeon221’s attempt) but they’re browser specific and usually get patched. When in doubt trust no one and type the URL into the browser yourself.
There are ways you can trick the hover text as well, but they need Javascript, so you generally only see it on phishing sites and not emails.
Wait, so you’re saying our deal is off?
You’re right, but a lot of people are too lazy or non-computer savvy to double-check the link and will just click it without thinking. They’re even more likely to fall for it the text just displays an URL, since people usually seem to assume that they correspond with what the link directs to, as in Aeon221’s example (gee, I sure hope this makes sense when others read it).
Scammers only need to snare one victim to be successful.
No shit.
Good! I learned something today. I don’t normally click on links that tell me to disclose passwords, but I hadn’t thought of mousing over the link. Thanks guys.
You can do some tricky things with the hover text, too. Something like
<a href="http://paypal.com [...huge number of spaces...] @phishing-site.com/">http://www.paypal.com/</a>
will look like a perfectly legitimate link if you mouse over it because the spaces pushed the rest of the real address off the right-hand side of the screen. Firefox displays ellipses in the lower-right corner to indicate there’s more to the address, but it’s really easy to miss.
You are right to never click on links that tell you to disclose a password. Mousing over can help, but you never know if there is some bizarre browser flaw that will let a scammer hide the real URL. Always better to just type in the URL yourself for these things.
I hadn’t played WoW for two years and I got an e-mail congratulating me for activating Burning Crusade. Somehow my account got hacked, but my password is pretty obscure so I don’t know how. Luckily they don’t have my credit card # or anything, and I changed all of the other passwords I use.
I found this thread informative and interesting, something I wouldn’t be privy to had he not posted.
Oh well in that case I’ll get started posting all the spam I’ve got in my hotmail account.
If you are going to be snarky, at least do so in the form of entertaining pictures.
I will post my curmudgeonly opposition to this. The “snark through image” thing here is getting rather overplayed.
'nuff said!
That’s a really bad idea. I can confirm from bitter personal experience that it’s entirely possible to have your account hacked looong after you’ve cancelled, and the whole point of the token is to prevent that sort of thing. Just keep the token someplace safe.