Goran,
It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it.
Matt
Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
<P class=Estilo6>To log into your account and verify your account
activity, click here: <BR><A onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH</A></P>
Now I understand that this shows up in the e-mail as
www1.royalbank.com/....
So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH
How is this possible to display some other address when I went to the haukelid.com address?
What would people do to prevent this mail from getting through in the future?
In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
