A few days ago, a colleague I hadn’t corresponded with in a while told me he almost missed my email because it wound up in the spam folder, and he hesitated before deleting it because my full name wasn’t displayed in the sender address. That reminded me that it had been a while since I emptied the spam folder on one of my accounts, so I opened it up to check.
Of course it was filled with junk mail offers for pharmaceutical and luxury products I don’t want, but two messages caught my eye supposedly from firstname.lastname@example.org. I was rather perplexed since I didn’t remember attaching this email address to any of my YouTube accounts, but just in case I opened one to check. The mail looked fairly legitimate and was designed to make me curious. The link looked ok, but being generally wary of this sort of thing, I opened the mail in a separate browser window to check before clicking on it, since the browser didn’t resolve the link when I first moused over it and the mail tool I was using didn’t want to show me the full email header. Here is what I saw:
I’ve blacked out some personal information, but you can clearly see the real URL behind the innocuous-looking YouTube one in the bottom left-hand corner of the window. I’ve blacked out part of the link too, but the same link showed up when I moused over any of the hyperlinks in the message.
How does that work? Well, it’s easy. The authors just used a simple trick in HTML to insert a link using the tag <a>. The clever part is that they made the text anchor look like a normal link to YouTube: http://www.youtube.com/watch=etc. That could fool even some savvy users.
Inspecting the element with Firebug reveals the trick:
Since I emptied my spam folder, I’ve already received another email from email@example.com telling me that I have one unread personal message. The link in the email resolves to a different address but the trick is the same.
Be careful out there!