The Original

As released originally, the exploit used scripting. However, the only purpose of scripting was to conveniently insert a character with ASCII code 1.

The 'b' versions include the '0x01' character after the '@' sign.

[1 scripting] [1b scripting]

No Scripting

The same effect can be achieved without scripting, by inserting the x01 character directly:
[2 binary 0x01] Goto FakeBank [2b binary 0x01] Goto FakeBank

Or use the HTML entity '&#001':
[3 html 0x01] Goto FakeBank [3b html 0x01] Goto FakeBank

Better hidden

If you hover over the link above, you will see the real URL in your bottom status bar. This version inserts spaces to push the real URL off the screen (may not work if you have a large screen):
[spaces] Link 4A Fake Bank Link 4B Fake Bank

Or just used another '%001':
Link 5A Goto FakeBank Link 5B Goto FakeBank

Credits: This page is based on the release by www.zapthedingbat.com .