Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Stop phishing: Take the bait out of email
SECURITY SHELF

Stop phishing: Take the bait out of email 

Individuals have faced phishing attacks for years. Criminals like the approach because it is inexpensive and it works. It is easy to set up a look-alike Web site on a compromised web server, blast out hundreds of thousands of emails containing bait, and collect credentials. The cost of doing so is very low; capturing the banking credentials of a single victim creates a profit. Once the phishing message or site is detected, the criminal simply moves to another compromised web server and repeats the process.

Corporations and governments have a much larger problem. Targeted phishing attacks, called spear phishing, are very difficult to automatically detect. Sophisticated attackers research their victims and customize the message for each recipient. This significantly increases delivery and success rates.

RELATED CONTENT

Security choices

 IoT devices used in devastating DDoS attacks

 The magnitude of the cybercrime problem

Some hostile emails continue to include first-stage malware infection code, such as obfuscated javascript that downloads and installs the second stage. Because detection and blocking mechanisms have improved, including a relevant, compelling link in the phishing message remains more effective. Unlike their mass-mailing counterparts, sophisticated attacks use a different link for each victim to avoid detection and facilitate custom threat delivery. Some focus on credential theft, while others leverage malware specifically selected for the recipient.

ISPs, corporations, and even DNS service providers apply a variety of techniques to identify and stop phishing. But for some unexplained reason, the real culprit goes unpunished: HTML email.

HTML originally became popular with the dawn of the public Internet in the mid-1990s. For Web sites, the HTML anchor tag for linking made sense. Instead of showing the actual URL, it is possible to hyperlink text or images. Hostile uses were less of an issue at the time, although some early Web site owners made use of linking to unexpected sites as a form of humour.

HTML rapidly began appearing in email, and over the years every mainstream email vendor has added support. Marketers love being able to control the display of messages, include images, and more attractive “click here” links instead of displaying URLs. HTML email also facilitates retrieving external images; marketers leverage this to track email open rates. This privacy invasion itself should have put an end to HTML email.

Even worse, HTML email directly facilitates phishing. In addition to linking words and images, it is trivial to display one URL and send the user to an entirely different URL when the link is clicked. From a security perspective, this continues to be entirely unacceptable.

There are two simple ways to virtually eliminate phishing. The first is to provide users with an option to disable HTML email display. While this might sound draconian to the marketing crowd, HTML provides very little benefit to the recipient. Instead of crafting cute, flashy emails, send useful information. Plain text is easier to read on PCs and mobile devices. An auto-reply option that informs the sender that their HTML email could not be displayed would help effect change.

The second, softer approach is to always display the real link URL to users. Since mail software is already parsing the HTML, it could display it inline. Or, alternatively, when a user clicks on a link, their mail software could pop up a window displaying the target URL to the user. While it might not be as attractive, it would give users the information they need to make an informed decision.

HTML email is poorly implemented, violates user’s privacy, and enables serious criminal behaviour. If Apple, Google, and Microsoft implemented these simple changes phishing would significantly decrease overnight. It’s time to take the bait out of email.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca

Related posts