The second line is the text you see on the message, the href value on the first line is the URL where you're taken to.
This is a more sophisticated version, not only you're fooled with the text of the link. When you put your mouse over a link, some browsers show the real link where you're going to. With this little java script, a tooltip appears showing you the fake URL again. The real link will show anyway (depending on your browser and its settings) in the bar at the bottom of the window. But having the tooltip open in front of your eyes will divert your attention.
And here's the list
As you can see, there's a little bit of everything. Let's take a closer look at some
Namliong.com.tw exists and (I hope) is a legal site, the address is the one of their webmail server. We can assume that an unloyal employee named Kevin is using his system privileges to set up the phishing page under his root directory. I'll never know, the page is down now but there was no way to contact Namliong. I reported to the hosting service and the owner of the IP block, I guess one of them contacted Namliong and they deleted the page.
Believe it or not, this page was hosted by Yahoo. Someone actually paid to have this space available and used it for the phishing page. Why is so unbelievable? because the chances for a phishing page to survive for an extended period of time is pretty low. As a matter of fact, Yahoo took it down inmediatly. And not only the page, Yahoo was the domain name registrar and deleted the record. So, if you want the name gheghehackingstyle.com, hurry up. It's available now.
A different case of hosting, 110Mb is a free hoster. Something more reasonable if you don't expect the page to stay up for long. But not safer than Yahoo, 110Mb acted as fast and the page is gone.
Weird IP, isn't it? The IP number is there but in a format that a screening program wouldn't understand (unless is aware of this). The first page is gone but the other is still alive if you want to check it out. So how does this format work? Take the first one, 3631585476, if you turn it into hexadecimal format you'll get D87598C4. You can do that with Windows calculator in scientific mode, enter the number in Dec mode and turn to Hex mode. Any number in this format will give you 8 hexadecimal digits, now take them in groups of 2 and convert to decimal again. D8 is 216, 75 is 117, 98 is 152 and C4 is an explosive... sorry, 196. Ok, now you deobfuscated the addres and can use any of them. Try using one and then the other, this page is hosted at Geminios and if you do you'll get redirected to their 404 (page not found) page. Or try http://3631585476/pennfence, this is Penn Fencing Inc the legal owner of the site. In this case the site was hacked, most likely, due to management interface vulnerability.
The second page is inside the site of a company named Leader Smart in Hong Kong. According to them "Leader Smart (Hong Kong) Limited is a young progressive firm committed to providing information technology solutions". However, they don't seem to be good at keeping their own site safe... or it's part of the business. I've sent them many messages about this and they didn't even care to answer.
Two more hacked sites, at least I think so. The first one seems to be a russian commercial building. The other is "The academy of armoured force engenering" (SIC). And even with the scary front page, with all the cannons aiming at you, it was hacked.
Today we say good bye to the following mail users