[unisog] Email clients enabling Phishing links: the new enemy

Paul FM paulfm at me.umn.edu
Tue Jul 8 03:07:17 GMT 2008

I see this as confusing a band-aid with a security solution.
The band-aid is to make it harder to click on links in e-mails so users are 
supposedly forced to think about the url before pasting it into their 
browser.  The truth is they won't think about it anyway so it is no more 
secure.  A little user education is a much better solution - with a few spam 
messages sent out to make the point clear (nothing dangerous - just messages 
which look legit that have urls which are faked to look ok - maybe with a 
record to let you know who clicked on the links so you can schedule 
additional training).  Unfortunately, the more you protect users - the less 
prepared they will be when that protection fails.

Avoiding HTML mail will go a long way to making it fairly easy for the 
trained user to tell if a link is legit (users should be given instructions 
on how to set up their e-mail client to only display text messages) - if you 
want to make this really work, you could have a user chosen security 
signature or image which is included in every message that has a link, so the 
user has extra verification of the legitimacy of the message.  I actually set 
up a sendmail server a very long time ago which added the word FAKED to the 
FROM header of all mail from outside machines which said it come from the 
company domain (maybe now the word should be UNVERIFIED).

Always make sure that ALL click able links sent out always go to a site in 
your own domain (if you need to send them to an outside domain - do that 
through your own page which has a warning that they are about to be sent to 
an outside page ON WHICH THEY HAVE TO CLICK to proceed).  Try to always send 
them to an https site first (one with a certificate that is automatically 
accepted by their web browser).

If you want to avoid sending links - why not an message system where it 
simply sends them an e-mail that they have something new on the messaging 
system and they have ONE url (which they have bookmarked and is not included 
in the message) which brings them into the messaging system where they can 
view all the messages and links to what they have to do (this also avoids 
sending potentially private information via e-mail).  In other words, use 
e-mail for notification of only and have a communication website where they 
can get their internal (and very important) messages - even without using email.

The simple answer, there is no real security advantage to not having links in 
e-mails - there is an advantage to having users who understand the folly of 
mindlessly clicking on those links and how they can be tricked by them 
(sending an e-mail wiht example links every so often helps them understand 
the situation and learn how to spot dangerous links).

marchany at vt.edu wrote:
> The classic conflict between security process vs. business process:
> 1. Security process - 
> 	a. no clickable links embedded in emails to prevent phish style attacks. 
> 	b. OR allow clickable links but include warning that clicking on the link
>            from the email is a SERIOUS security risk
> 2. Business process - Our biggest complaint from the university community 
> regarding our e-billing email notifications is the lack of a url indicating 
> exactly where
> they go to do what they need to do. We send the emails in plain text and 
> instead of hyperlinks, we inserted urls that the recipient could cut and paste 
> into their browsers as they choose. We did this to avoid phish attacks.
> 3. Email clients (mozilla, exchange, etc.)  will recognize the plaintext 
> designation as urls and render them "click-able".
> 4. Solution?
> 	a. allow email clients to create clickable links and prevent us from
> 	   an effective phish attack solution: cut the link from the email &
> 	   paste it in the URL field of the browser.
> 	b. No clickable links from emails.
> 	c. provide instructions on how to disable email client programs from
> 	   "smart formatting" emails.
> How are you guy dealing with this scenario?
> 	-Randy Marchany
> 	VA Tech IT Security Office
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list