[unisog] Email clients enabling Phishing links: the new enemy
marchany at vt.edu
marchany at vt.edu
Mon Jul 7 22:45:00 GMT 2008
The classic conflict between security process vs. business process:
1. Security process -
a. no clickable links embedded in emails to prevent phish style attacks.
b. OR allow clickable links but include warning that clicking on the link
from the email is a SERIOUS security risk
2. Business process - Our biggest complaint from the university community
regarding our e-billing email notifications is the lack of a url indicating
exactly where
they go to do what they need to do. We send the emails in plain text and
instead of hyperlinks, we inserted urls that the recipient could cut and paste
into their browsers as they choose. We did this to avoid phish attacks.
3. Email clients (mozilla, exchange, etc.) will recognize the plaintext
designation as urls and render them "click-able".
4. Solution?
a. allow email clients to create clickable links and prevent us from
an effective phish attack solution: cut the link from the email &
paste it in the URL field of the browser.
b. No clickable links from emails.
c. provide instructions on how to disable email client programs from
"smart formatting" emails.
How are you guy dealing with this scenario?
-Randy Marchany
VA Tech IT Security Office
More information about the unisog
mailing list