[Dshield] CNN?

Tony Nichols tony at mail.applog.com
Tue Oct 16 14:00:27 GMT 2007


I just received an email that fits this scenario well:

>From Samsclub credit services letting me know I can manage my account
via the web at samsclubcredit.com 

However after seeing the address REALLY went to gemoney.com/ "jibberish"
I became concerned. I continued to read the rest of the email.

The smart thing was... <drum roll please> they explained in detail:

Please Note: If you are concerned about clicking links in this email,
the Sam’s Club online services mentioned above can be accessed by typing
samsclubcredit.com directly into your browser.

This email was sent by GE Money Bank, the issuer of the Sam’s Credit
Card Account. You may contact us at 4246 South Riverboat Rd, Suite 200,
Salt Lake City, Utah, USA.

Still bothered me... but I had a much better feeling about it.

t o n y

On Mon, 2007-10-15 at 19:33 -0400, M Cook wrote:
> Johannes Ullrich wrote:
> > Sorry to contradict Deb here. But I don't have issues with redirects
> > like that. They are much more common then you think. For example do you
> > enter "http://isc.sans.org" or "http://isc.sans.org/index.html" in your
> > browser? After you log in to DShield/ISC, you are redirected... there
> > are many situations that may require redirects like this or at least
> > they will make it much easier to create reasonable URLs and maintain
> > sanity on the backend.
> The automatic redirect that goes to the default document in a directory 
> is normal and common. I'd even be charitable and say you could put 
> "www.sans.org" in the text and "http://www.sans.org/index.html" in the 
> link, and I wouldn't complain. What I am complaining about is where the 
> link contains something radically different from the text. True, many 
> users wouldn't be able to see the distinction I am making, but I think 
> it is valid, and if it were the norm, more users might begin to spot it, 
> and protect themselves from phishing.
> I'm not really worried that anyone on this list is going to get caught 
> by a phishing email, or even be much confused by the CNN example I cite. 
> And I'll grant you that CNN is free to do anything it wants that works. 
> I just don't think it is a good idea for any legitimate business to use 
> the same sneaky tactics as phishers, or any sneaky tactics at all for 
> that matter.
> > Phishers use logos... should we get rid of them too and use a text-only web?
> I'm a fan of text-only e-mail, so my answer for email might not be 
> objective ... and I'm not a fan of web pages with logos, images, and 
> iframes that are loaded from different servers and networks, since most 
> of the time they aren't there to benefit me, and sometimes one site is 
> using the logo from another without permission. That's why I'd prefer an 
> HTTPS landing page for that e-mail link -- the site can have all the 
> images and logos they want, but visitors normally get warnings if some 
> parts are not from secure sites, and there is a bandwidth overhead, so 
> site designers might be encouraged to keep it a bit simple -- besides 
> providing a higher standard of identification. I'm sure CNN already has 
> a certificate, why not use it and show their customers that they meet 
> higher standards for trustworthiness, instead of linking their 
> reputation to the sleazy tactics of phishers.
> </rant>
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346

More information about the list mailing list