By mousing over the "Click here to update your account information" link in the Mailwasher "preview" pane, it is usually obvious that a suspect link leads somewhere bad, and that the message is clearly not actually from, say, Chase Bank. However, sometimes I must "View Raw Source" in order to "see" the actual target URL. For instance, I received the following this morning:
This looks like it's legitimate, and the URL displayed on "hover" is the one displayed above. However, the raw coding of the message displays the following:A phisher wrote:...To access the form please click on the following link:http://chaseonline.chase.com/Secure/webform/OSL.aspx?LOB=
723882879499936098792271620242477102106597514524Thank you for being a valued customer.
Is this contradictory result due to the message having been "a multi-part message in MIME format"? Is the fake URL displaying in the "normal" preview pane because it is included in the "text/plain" part of the message, with the actual URL being "hidden" in the "text/html" part?In the code, the phisher wrote:<p><font face=3D"Times New Roman, serif">To access the form please click =
on the following link:</font></p>
<p><font face=3D"Times New Roman, serif"><a href=3D"http://chaseonline.ch=
ase.com.id017.cz/Secure/webform/OSL.aspx?LOB=3D72388287949993609879227162=
0242477102106597514524">http://chaseonline.chase.com/Secure/webform/OSL.a=
spx?LOB=3D723882879499936098792271620242477102106597514524</a></font></p>
<p><font face=3D"Times New Roman, serif">Thank you for being a valued cus=
tomer.</font></p>
Is there any way to force the "preview" pane to accurately display the genuine URL, other than setting the default display to "raw source"?
Thank you.
Eliz.