Ebay phish in different email clients

I've been asked why an Ebay phish was detected, even though it doesn't seem to re-direct to a fake site. This reason for this could be a false positive... but having looked at the example, it's not a false positive... but a difference in email clients.

Here's the Ebay phishing attempt:

Outlook Express:















Thunderbird:















You can see already a slight difference between the clients. If you look at the link bar at the bottom, one seems to go to ebay.com and the other to signin.ebay.com

If you click on the link in Outlook Express, you are taken to the fake page (which FireFox knows is a fake). You can see in the browser url that the site is fake, i.e.: h-sohbi.com









If you click on the link in Thunderbird, you get taken to the genuine Ebay page:
















Huh? Taking a closer look at the phishing code, you can see the phisher has kindly labeled the ID as SPOOF:




So, looks like this code renders differently between Outlook Express and Thunderbird, so that's why you get taken to two different sites depending on which email client you are using.

Strike one up for Thunderbird :)