Link in Title Attribute

Link in Title Attribute

am 28.09.2007 22:01:48 von Blinky the Shark

I'd say this was a weird one. Someone in a not-HTML group (a browser
group it was) this morning asked for a way to have the user that clicks
on a link be sent to a URL in the anchor's title attribute rather than
to the hreffed URL.

Anyone ever heard of such?

Yes, I have the thread set for "watch". I just thought it might be an
interesting thing to look at here.


--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project moved to this site August 28th:
http://improve-usenet.org

Re: Link in Title Attribute

am 28.09.2007 22:35:27 von jkorpela

Scripsit Blinky the Shark:

> I'd say this was a weird one. Someone in a not-HTML group (a browser
> group it was) this morning asked for a way to have the user that
> clicks on a link be sent to a URL in the anchor's title attribute
> rather than to the hreffed URL.

It's of course impossible in HTML. Playing with JavaScript, you could modify
the href attribute value when the link is clicked on, or you could directly
tell the browser to go to a specific address. User agents with JavaScript
disabled or not in use would naturally keep using the original href
attribute. Maybe this is the idea? Cheating indexing robots to think that
the page links to page X when it in fact "links" to Y when JavaScript is
enabled.

> Anyone ever heard of such?

Not about that particular technical idea, but I've seen a lot of crap on the
Web and many "clever" ideas of cheating, shooting oneself on the foot and
spitting at users.

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

Re: Link in Title Attribute

am 28.09.2007 22:43:39 von lws4art

Blinky the Shark wrote:
> I'd say this was a weird one. Someone in a not-HTML group (a browser
> group it was) this morning asked for a way to have the user that clicks
> on a link be sent to a URL in the anchor's title attribute rather than
> to the hreffed URL.
>
> Anyone ever heard of such?
>
> Yes, I have the thread set for "watch". I just thought it might be an
> interesting thing to look at here.
>
>

It would be nasty eh? Well seems to work...I would say the JavaScript
would go in external file to complete the deception. The link will of th
thatway.html and not thisway.html, of course when JavaScript is enabled:

"http://www.w3.org/TR/html4/strict.dtd">




Deception





Well, let's see here...







--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Re: Link in Title Attribute

am 28.09.2007 22:47:22 von Blinky the Shark

Jukka K. Korpela wrote:
> Scripsit Blinky the Shark:
>
>> I'd say this was a weird one. Someone in a not-HTML group (a browser
>> group it was) this morning asked for a way to have the user that
>> clicks on a link be sent to a URL in the anchor's title attribute
>> rather than to the hreffed URL.
>
> It's of course impossible in HTML. Playing with JavaScript, you could modify
> the href attribute value when the link is clicked on, or you could directly
> tell the browser to go to a specific address. User agents with JavaScript
> disabled or not in use would naturally keep using the original href
> attribute. Maybe this is the idea? Cheating indexing robots to think that

If anything interesting appears from that poster, I'll report back in
this thread.

If anyone is interested that uses or is willing to set up
news.mozilla.org, the query appeared in mozilla.support.firefox and the
thread has the Subject header

clickable title

> the page links to page X when it in fact "links" to Y when JavaScript is
> enabled.

>> Anyone ever heard of such?
>
> Not about that particular technical idea, but I've seen a lot of crap on the
> Web and many "clever" ideas of cheating, shooting oneself on the foot and
> spitting at users.

I'd classify this along with those. Naturally my first knee-jerk
response was "deception", but it doesn't seem very deceptive to have the
user directed to a URL that he's likely to plainly see on hovering and
which is just as visible in the anchor as is the href.


--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project moved to this site August 28th:
http://improve-usenet.org

Re: Link in Title Attribute

am 28.09.2007 23:04:57 von Blinky the Shark

Jonathan N. Little wrote:
> Blinky the Shark wrote:
>> I'd say this was a weird one. Someone in a not-HTML group (a browser
>> group it was) this morning asked for a way to have the user that clicks
>> on a link be sent to a URL in the anchor's title attribute rather than
>> to the hreffed URL.
>>
>> Anyone ever heard of such?
>>
>> Yes, I have the thread set for "watch". I just thought it might be an
>> interesting thing to look at here.
>
> It would be nasty eh? Well seems to work...I would say the JavaScript
> would go in external file to complete the deception. The link will of th
> thatway.html and not thisway.html, of course when JavaScript is enabled:

Remind me to make sure NoScript has your sites in its crosshairs. ;)

:)


--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project - http://improve-usenet.org

Re: Link in Title Attribute

am 29.09.2007 13:47:53 von jkorpela

Scripsit Blinky the Shark:

> I'd classify this along with those. Naturally my first knee-jerk
> response was "deception", but it doesn't seem very deceptive to have
> the user directed to a URL that he's likely to plainly see on
> hovering and which is just as visible in the anchor as is the href.

It might be intended to deceive search engines rather than users directly.
But such deception, too, is ultimately aimed at deceiving people.

I have to disagree with your note somewhat, though. The "tooltip" effect is
not ubiquous, it is not required by any specification, etc. Neither is the
"status line" effect (displaying the URL in the browser's status line on
mouseover), but it's something that _has_ been meant for showing the URL,
whereas the title attribute is not meant for that but for use as "advisory
title".

The direct deception, whether intentional or not, arises from the fairly
natural user behavior of looking at the status line to see the URL.

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

Re: Link in Title Attribute

am 29.09.2007 19:44:57 von bidarsan

"Blinky the Shark" wrote in message
news:slrnffqr4p.ebs.no.spam@thurston.blinkynet.net...
> Jonathan N. Little wrote:
>> Blinky the Shark wrote:
>>> I'd say this was a weird one. Someone in a not-HTML group (a browser
>>> group it was) this morning asked for a way to have the user that clicks
>>> on a link be sent to a URL in the anchor's title attribute rather than
>>> to the hreffed URL.
>>>
>>> Anyone ever heard of such?
>>>
>>> Yes, I have the thread set for "watch". I just thought it might be an
>>> interesting thing to look at here.
>>
>> It would be nasty eh? Well seems to work...I would say the JavaScript
>> would go in external file to complete the deception. The link will of th
>> thatway.html and not thisway.html, of course when JavaScript is enabled:
>
> Remind me to make sure NoScript has your sites in its crosshairs. ;)
>
> :)
>
>
> --
> Blinky RLU 297263
> Killing all posts from Google Groups
> The Usenet Improvement Project - http://improve-usenet.org

Weird? Yes. To fake out search engines? Possibly.

But the way I see it, Jonathan, who posted the "fiendish but creative code"
just gave phishers, scammers, and malware senders ANOTHER way to get people
to go to sites where the sole purpose in life is to cheat the poor slobs who
don't see the cheat.

First thing I thought of when I read the above was something like the
following:

"Use this link to change your Login info: Mobile Fun" [underlying link:
http:// 219.70.221.5/]

which is one of the scam/malware emails that can be found at my page
http://www.orangefrogproductions.com/ofp2s_malware_email_exa mple_009-011_page2.shtml.

From my experience, those who try to hide to where a page links, are trying
to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
engines. Yes, those of us "in the know" can rollover the link and see the
underlying one, and the title, so if a link appears in that attribute that
doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
realize the implications. (One of the reasons for my Scams info.)

Please be careful the code you post. (This is one of the first times I've
seen this type of questions and full code posted.) - You might just be
giving the "bad guys" more ammo! (It's nice to know how its done, but why
show THEM?)

(Sorry if I come off like being on a "high horse", but GEEZE!)

--
BigDaddyBS

Re: Link in Title Attribute

am 29.09.2007 20:44:51 von lws4art

BigDaddyBS wrote:

> But the way I see it, Jonathan, who posted the "fiendish but creative code"
> just gave phishers, scammers, and malware senders ANOTHER way to get people
> to go to sites where the sole purpose in life is to cheat the poor slobs who
> don't see the cheat.

Not really. My code was not that unique, nor creative. Most of the link
scamming is found in emails. If you allow JavaScript to run in email
and are dumb enough to click on links within emails, especially from
unknown sources you deserve what you get!

Of course it also helps to have client software that shows the status
bar by default, has option to block JavaScript manipulation of the
status bar. Punycodes those spoofed URLs...and last but not least a
little common sense in Layer 8.

> From my experience, those who try to hide to where a page links, are trying
> to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
> engines. Yes, those of us "in the know" can rollover the link and see the
> underlying one, and the title, so if a link appears in that attribute that
> doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
> realize the implications. (One of the reasons for my Scams info.)

> Please be careful the code you post. (This is one of the first times I've
> seen this type of questions and full code posted.) - You might just be
> giving the "bad guys" more ammo! (It's nice to know how its done, but why
> show THEM?)
>
> (Sorry if I come off like being on a "high horse", but GEEZE!)

As I said pure discussion and not very unique. There are much more
sophisticated was to misdirect a link.


--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Re: Link in Title Attribute

am 29.09.2007 23:05:32 von bidarsan

"Jonathan N. Little" wrote in message
news:bcad4$46fe9d18$40cba7bd$25838@NAXS.COM...
> BigDaddyBS wrote:
>
>> But the way I see it, Jonathan, who posted the "fiendish but creative
>> code" just gave phishers, scammers, and malware senders ANOTHER way to
>> get people to go to sites where the sole purpose in life is to cheat the
>> poor slobs who don't see the cheat.
>
> Not really. My code was not that unique, nor creative. Most of the link
> scamming is found in emails. If you allow JavaScript to run in email and
> are dumb enough to click on links within emails, especially from unknown
> sources you deserve what you get!

My point is that there are VERY many people who only know email and get to
the internet BY clicking on links in them. Few of them know to (or HOW to)
check each link, and many of them are scammed every day. Dumb doesn't enter
into it. "Inexperienced" and "naive" do NOT equate to "dumb". SHOULD they
know better? Sure, but many don't, and don't know how to use search engines
to find out about it. Should they have internet access if they are that
naive? Of course. For some people, it's their only contact with the "outside
world". For example, my late grandmother, 91yo - died this year, kept in
contact with her boys, her grandkids and great-grandkids via email and the
occassional IM. And she had our family to tell her what to watch out for.
But there are many who don't have that "backup" to help them. Why should
they have to suffer the losses imposed by the "bad guys"? According to your
statement, they deserve it. I disagree, wholeheartedly!

> Of course it also helps to have client software that shows the status bar
> by default, has option to block JavaScript manipulation of the status bar.
> Punycodes those spoofed URLs...and last but not least a little common
> sense in Layer 8.

Whose common sense? Many people have tons of common sense, but don't know
that much about computers (see above). And again, why should those without
CCS (Computer Common Sense) be made to suffer?

>> From my experience, those who try to hide to where a page links, are
>> trying to pass viruses, spyware, porn, phishing pages, etc., not cheat
>> the search engines. Yes, those of us "in the know" can rollover the link
>> and see the underlying one, and the title, so if a link appears in that
>> attribute that doesn't match, we can be forwarned. But "Average Joe/Jane"
>> user don't realize the implications. (One of the reasons for my Scams
>> info.)
>
>> Please be careful the code you post. (This is one of the first times I've
>> seen this type of questions and full code posted.) - You might just be
>> giving the "bad guys" more ammo! (It's nice to know how its done, but why
>> show THEM?)
>>
>> (Sorry if I come off like being on a "high horse", but GEEZE!)
>
> As I said pure discussion and not very unique. There are much more
> sophisticated was to misdirect a link.

My point there is - unique or not, unsophisticated or not - there are those
HS and younger buttheads who will try anything (no matter who it hurts) for
fun. Why should we TEACH them - give them complete code (as you did) to
screw up other people's lives and computers, and actually EXPLAIN to them
how to do it? Make them search harder, and possibly have to pull the pieces
together themselves. You can qualify it as "pure discussion" if you like,
but that means that someone could post full code for viruses, and get away
with it by saying the same thing. (And I'm sure there are sites and
newsgroups with ALL of that crap on them!) Why make it so easy to find?

> --
> Take care,
>
> Jonathan
> -------------------
> LITTLE WORKS STUDIO
> http://www.LittleWorksStudio.com

Jonathan, your motives may have been pure. I'm not slamming you as a person
(don't know you well enough! :-) ), just the posting of actual, full code to
do nasty things, again, no matter how "pure" the original poster (other
newsgroup) meant it.

Ok... I think I've "vented my spleen". All I'm saying is that we think about
what we are posting, and what it could do to those "dumb" people. Huh?

--
bigdaddybs

Re: Link in Title Attribute

am 01.10.2007 01:41:30 von nigel_moss

While the city slept, Jonathan N. Little (lws4art@centralva.net) feverishly
typed...

> If you allow JavaScript to run in email and are dumb enough
> to click on links within emails, especially from unknown
> sources you deserve what you get!

I can't speak for current versions (because I don't have one), but I
remember when Outlook Express (probably the most widely used email client on
the planet) allowed javascript to be executed in emails / newsgroup messages
out of the box. I found this out when some scrote posted a message to a
newsgroup that contained "while(1==1) { window.open; }" in it... After I
rebooted the PC I found out that OE uses the IE internet "safety" settings,
and by default used the Trusted setting. Altering that setting was the only
way to stop OE from executing Javascript - this option wasn't available in
any of OE's own settings.

So your comment that "If you allow javascript to run in email ... you
deserve what you get" is not really fair because many people may be allowing
javascript to run in emails without even knowing it.

Cheers,
Nige

--
Nigel Moss http://www.nigenet.org.uk
Mail address will bounce. nigel@DOG.nigenet.org.uk | Take the DOG. out!
"Your mother ate my dog!", "Not all of him!"

Re: Link in Title Attribute

am 01.10.2007 03:36:25 von lws4art

nice.guy.nige wrote:
> While the city slept, Jonathan N. Little (lws4art@centralva.net) feverishly
> typed...
>
>> If you allow JavaScript to run in email and are dumb enough
>> to click on links within emails, especially from unknown
>> sources you deserve what you get!
>
> I can't speak for current versions (because I don't have one), but I
> remember when Outlook Express (probably the most widely used email client on
> the planet) allowed javascript to be executed in emails / newsgroup messages
> out of the box. I found this out when some scrote posted a message to a
> newsgroup that contained "while(1==1) { window.open; }" in it... After I
> rebooted the PC I found out that OE uses the IE internet "safety" settings,
> and by default used the Trusted setting. Altering that setting was the only
> way to stop OE from executing Javascript - this option wasn't available in
> any of OE's own settings.
>

I dumped that turkey back in the 90's! Maybe we should put up a banner,
hirer a pilot and sky write, don't use OE for your email. Just about
anything else would be better! I still have old Communicator 4.61 on for
test and it has the ability to disable JavaScript in mail and
newsgroups, although back in 99 it was a more naive time it was on by
default!

> So your comment that "If you allow javascript to run in email ... you
> deserve what you get" is not really fair because many people may be allowing
> javascript to run in emails without even knowing it.

Maybe they should learn. I love this new Public Service ad that they are
running in the US lately showing a scruffy guy trying to pull the old
fake check scam to a lady on a bus. In person it very obvious that it's
bogus.. the ad tries to show that in an email it still stinks.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Re: Link in Title Attribute

am 01.10.2007 03:41:11 von Blinky the Shark

nice.guy.nige wrote:
> While the city slept, Jonathan N. Little (lws4art@centralva.net) feverishly
> typed...
>
>> If you allow JavaScript to run in email and are dumb enough
>> to click on links within emails, especially from unknown
>> sources you deserve what you get!
>
> I can't speak for current versions (because I don't have one), but I
> remember when Outlook Express (probably the most widely used email client on
> the planet) allowed javascript to be executed in emails / newsgroup messages
> out of the box. I found this out when some scrote posted a message to a
> newsgroup that contained "while(1==1) { window.open; }" in it... After I
> rebooted the PC I found out that OE uses the IE internet "safety" settings,
> and by default used the Trusted setting. Altering that setting was the only
> way to stop OE from executing Javascript - this option wasn't available in
> any of OE's own settings.
>
> So your comment that "If you allow javascript to run in email ... you
> deserve what you get" is not really fair because many people may be allowing
> javascript to run in emails without even knowing it.

I have the fix for that statement, then. "If you use Outlook Express,
you deserve what you get." :)

--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project - http://improve-usenet.org