Link in Title Attribute

[Blinky the Shark]

I'd say this was a weird one. Someone in a not-HTML group (a browser
group it was) this morning asked for a way to have the user that clicks
on a link be sent to a URL in the anchor's title attribute rather than
to the hreffed URL.

Anyone ever heard of such?

Yes, I have the thread set for "watch". I just thought it might be an
interesting thing to look at here.

 

[Jukka K. Korpela]

Scripsit Blinky the Shark:

I'd say this was a weird one. Someone in a not-HTML group (a browser
group it was) this morning asked for a way to have the user that
clicks on a link be sent to a URL in the anchor's title attribute
rather than to the hreffed URL.

It's of course impossible in HTML. Playing with JavaScript, you could modify
the href attribute value when the link is clicked on, or you could directly
tell the browser to go to a specific address. User agents with JavaScript
disabled or not in use would naturally keep using the original href
attribute. Maybe this is the idea? Cheating indexing robots to think that
the page links to page X when it in fact "links" to Y when JavaScript is
enabled.

Anyone ever heard of such?

Not about that particular technical idea, but I've seen a lot of crap on the
Web and many "clever" ideas of cheating, shooting oneself on the foot and
spitting at users.

 

[Jonathan N. Little]

I'd say this was a weird one. Someone in a not-HTML group (a browser
group it was) this morning asked for a way to have the user that clicks
on a link be sent to a URL in the anchor's title attribute rather than
to the hreffed URL.

Anyone ever heard of such?

Yes, I have the thread set for "watch". I just thought it might be an
interesting thing to look at here.

It would be nasty eh? Well seems to work...I would say the JavaScript
would go in external file to complete the deception. The link will of th
thatway.html and not thisway.html, of course when JavaScript is enabled:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<meta http-equiv="content-language" content="en-us">
<title>Deception</title>

<script type="text/javascript">

function trick(e){
var me;
if(!e) var e=window.event;
if(e.target) me=e.target; // W3C
else if(e.srcElement) me=e.srcElement; // MSIE
if(me.nodeType == 3) me=me.parentNode; // Safari bug els with TEXT

me.href=me.title; // now do the switcheroo!
}

function initTrick(){
var dalink=document.getElementById('fakeout');

if(dalink.addEventListener){
dalink.addEventListener('click', trick, false);
}
else if(dalink.attachEvent){ //MS IE support
dalink.attachEvent('onclick', trick);
}
}

// attach event after page loads
if( window.addEventListener ) {
window.addEventListener('load',initTrick,false); //legacy
} else if( document.addEventListener ) {
document.addEventListener('load',initTrick,false); //proper
} else if( window.attachEvent ) {
window.attachEvent("onload", initTrick); //IE only
}

</script>

</head>
<body>
<p>Well, let's see here...
<a id="fakeout" href="thisway.html" title="thatway.html">Fake This Way</a>
</p>
</body>
</html>

 

[Blinky the Shark]

Scripsit Blinky the Shark:


It's of course impossible in HTML. Playing with JavaScript, you could modify
the href attribute value when the link is clicked on, or you could directly
tell the browser to go to a specific address. User agents with JavaScript
disabled or not in use would naturally keep using the original href
attribute. Maybe this is the idea? Cheating indexing robots to think that

If anything interesting appears from that poster, I'll report back in
this thread.

If anyone is interested that uses or is willing to set up
news.mozilla.org, the query appeared in mozilla.support.firefox and the
thread has the Subject header

clickable title

the page links to page X when it in fact "links" to Y when JavaScript is
enabled.

Not about that particular technical idea, but I've seen a lot of crap on the
Web and many "clever" ideas of cheating, shooting oneself on the foot and
spitting at users.

I'd classify this along with those. Naturally my first knee-jerk
response was "deception", but it doesn't seem very deceptive to have the
user directed to a URL that he's likely to plainly see on hovering and
which is just as visible in the anchor as is the href.

 

[Blinky the Shark]

It would be nasty eh? Well seems to work...I would say the JavaScript
would go in external file to complete the deception. The link will of th
thatway.html and not thisway.html, of course when JavaScript is enabled:

Remind me to make sure NoScript has your sites in its crosshairs.

<snip fiendish but creative code>

 

[Jukka K. Korpela]

Scripsit Blinky the Shark:

I'd classify this along with those. Naturally my first knee-jerk
response was "deception", but it doesn't seem very deceptive to have
the user directed to a URL that he's likely to plainly see on
hovering and which is just as visible in the anchor as is the href.

It might be intended to deceive search engines rather than users directly.
But such deception, too, is ultimately aimed at deceiving people.

I have to disagree with your note somewhat, though. The "tooltip" effect is
not ubiquous, it is not required by any specification, etc. Neither is the
"status line" effect (displaying the URL in the browser's status line on
mouseover), but it's something that _has_ been meant for showing the URL,
whereas the title attribute is not meant for that but for use as "advisory
title".

The direct deception, whether intentional or not, arises from the fairly
natural user behavior of looking at the status line to see the URL.

 

[BigDaddyBS]

Remind me to make sure NoScript has your sites in its crosshairs.

<snip fiendish but creative code>

Weird? Yes. To fake out search engines? Possibly.

But the way I see it, Jonathan, who posted the "fiendish but creative code"
just gave phishers, scammers, and malware senders ANOTHER way to get people
to go to sites where the sole purpose in life is to cheat the poor slobs who
don't see the cheat.

First thing I thought of when I read the above was something like the
following:

"Use this link to change your Login info: Mobile Fun" [underlying link:
http:// 219.70.221.5/]

which is one of the scam/malware emails that can be found at my page
http://www.orangefrogproductions.com/ofp2s_malware_email_example_009-011_page2.shtml.

From my experience, those who try to hide to where a page links, are trying
to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
engines. Yes, those of us "in the know" can rollover the link and see the
underlying one, and the title, so if a link appears in that attribute that
doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
realize the implications. (One of the reasons for my Scams info.)

Please be careful the code you post. (This is one of the first times I've
seen this type of questions and full code posted.) - You might just be
giving the "bad guys" more ammo! (It's nice to know how its done, but why
show THEM?)

(Sorry if I come off like being on a "high horse", but GEEZE!)

 

[Jonathan N. Little]

But the way I see it, Jonathan, who posted the "fiendish but creative code"
just gave phishers, scammers, and malware senders ANOTHER way to get people
to go to sites where the sole purpose in life is to cheat the poor slobs who
don't see the cheat.

Not really. My code was not that unique, nor creative. Most of the link
scamming is found in emails. If you allow JavaScript to run in email
and are dumb enough to click on links within emails, especially from
unknown sources you deserve what you get!

Of course it also helps to have client software that shows the status
bar by default, has option to block JavaScript manipulation of the
status bar. Punycodes those spoofed URLs...and last but not least a
little common sense in Layer 8.

From my experience, those who try to hide to where a page links, are trying
to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
engines. Yes, those of us "in the know" can rollover the link and see the
underlying one, and the title, so if a link appears in that attribute that
doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
realize the implications. (One of the reasons for my Scams info.)

Please be careful the code you post. (This is one of the first times I've
seen this type of questions and full code posted.) - You might just be
giving the "bad guys" more ammo! (It's nice to know how its done, but why
show THEM?)

(Sorry if I come off like being on a "high horse", but GEEZE!)

As I said pure discussion and not very unique. There are much more
sophisticated was to misdirect a link.

 

[BigDaddyBS]

Not really. My code was not that unique, nor creative. Most of the link
scamming is found in emails. If you allow JavaScript to run in email and
are dumb enough to click on links within emails, especially from unknown
sources you deserve what you get!

My point is that there are VERY many people who only know email and get to
the internet BY clicking on links in them. Few of them know to (or HOW to)
check each link, and many of them are scammed every day. Dumb doesn't enter
into it. "Inexperienced" and "naive" do NOT equate to "dumb". SHOULD they
know better? Sure, but many don't, and don't know how to use search engines
to find out about it. Should they have internet access if they are that
naive? Of course. For some people, it's their only contact with the "outside
world". For example, my late grandmother, 91yo - died this year, kept in
contact with her boys, her grandkids and great-grandkids via email and the
occassional IM. And she had our family to tell her what to watch out for.
But there are many who don't have that "backup" to help them. Why should
they have to suffer the losses imposed by the "bad guys"? According to your
statement, they deserve it. I disagree, wholeheartedly!

Of course it also helps to have client software that shows the status bar
by default, has option to block JavaScript manipulation of the status bar.
Punycodes those spoofed URLs...and last but not least a little common
sense in Layer 8.

Whose common sense? Many people have tons of common sense, but don't know
that much about computers (see above). And again, why should those without
CCS (Computer Common Sense) be made to suffer?

As I said pure discussion and not very unique. There are much more
sophisticated was to misdirect a link.

My point there is - unique or not, unsophisticated or not - there are those
HS and younger buttheads who will try anything (no matter who it hurts) for
fun. Why should we TEACH them - give them complete code (as you did) to
screw up other people's lives and computers, and actually EXPLAIN to them
how to do it? Make them search harder, and possibly have to pull the pieces
together themselves. You can qualify it as "pure discussion" if you like,
but that means that someone could post full code for viruses, and get away
with it by saying the same thing. (And I'm sure there are sites and
newsgroups with ALL of that crap on them!) Why make it so easy to find?

Jonathan, your motives may have been pure. I'm not slamming you as a person
(don't know you well enough! ), just the posting of actual, full code to
do nasty things, again, no matter how "pure" the original poster (other
newsgroup) meant it.

Ok... I think I've "vented my spleen". All I'm saying is that we think about
what we are posting, and what it could do to those "dumb" people. Huh?

 

[nice.guy.nige]

While the city slept, Jonathan N. Little ([email protected]) feverishly
typed...

If you allow JavaScript to run in email and are dumb enough
to click on links within emails, especially from unknown
sources you deserve what you get!

I can't speak for current versions (because I don't have one), but I
remember when Outlook Express (probably the most widely used email client on
the planet) allowed javascript to be executed in emails / newsgroup messages
out of the box. I found this out when some scrote posted a message to a
newsgroup that contained "while(1==1) { window.open; }" in it... After I
rebooted the PC I found out that OE uses the IE internet "safety" settings,
and by default used the Trusted setting. Altering that setting was the only
way to stop OE from executing Javascript - this option wasn't available in
any of OE's own settings.

So your comment that "If you allow javascript to run in email ... you
deserve what you get" is not really fair because many people may be allowing
javascript to run in emails without even knowing it.

Cheers,
Nige

 

[Jonathan N. Little]

While the city slept, Jonathan N. Little ([email protected]) feverishly
typed...


I can't speak for current versions (because I don't have one), but I
remember when Outlook Express (probably the most widely used email client on
the planet) allowed javascript to be executed in emails / newsgroup messages
out of the box. I found this out when some scrote posted a message to a
newsgroup that contained "while(1==1) { window.open; }" in it... After I
rebooted the PC I found out that OE uses the IE internet "safety" settings,
and by default used the Trusted setting. Altering that setting was the only
way to stop OE from executing Javascript - this option wasn't available in
any of OE's own settings.

I dumped that turkey back in the 90's! Maybe we should put up a banner,
hirer a pilot and sky write, don't use OE for your email. Just about
anything else would be better! I still have old Communicator 4.61 on for
test and it has the ability to disable JavaScript in mail and
newsgroups, although back in 99 it was a more naive time it was on by
default!

So your comment that "If you allow javascript to run in email ... you
deserve what you get" is not really fair because many people may be allowing
javascript to run in emails without even knowing it.

Maybe they should learn. I love this new Public Service ad that they are
running in the US lately showing a scruffy guy trying to pull the old
fake check scam to a lady on a bus. In person it very obvious that it's
bogus.. the ad tries to show that in an email it still stinks.

 

[Blinky the Shark]

While the city slept, Jonathan N. Little ([email protected]) feverishly
typed...


I can't speak for current versions (because I don't have one), but I
remember when Outlook Express (probably the most widely used email client on
the planet) allowed javascript to be executed in emails / newsgroup messages
out of the box. I found this out when some scrote posted a message to a
newsgroup that contained "while(1==1) { window.open; }" in it... After I
rebooted the PC I found out that OE uses the IE internet "safety" settings,
and by default used the Trusted setting. Altering that setting was the only
way to stop OE from executing Javascript - this option wasn't available in
any of OE's own settings.

So your comment that "If you allow javascript to run in email ... you
deserve what you get" is not really fair because many people may be allowing
javascript to run in emails without even knowing it.

I have the fix for that statement, then. "If you use Outlook Express,
you deserve what you get."