Individuals have faced phishing attacks for years. Criminals like the approach because it is inexpensive and it works. It is easy to set up a look-alike Web site on a compromised web server, blast out hundreds of thousands of emails containing bait, and collect credentials. The cost of doing so is very low; capturing the banking credentials of a single victim creates a profit. Once the phishing message or site is detected, the criminal simply moves to another compromised web server and repeats the process.
Corporations and governments have a much larger problem. Targeted phishing attacks, called spear phishing, are very difficult to automatically detect. Sophisticated attackers research their victims and customize the message for each recipient. This significantly increases delivery and success rates.
ISPs, corporations, and even DNS service providers apply a variety of techniques to identify and stop phishing. But for some unexplained reason, the real culprit goes unpunished: HTML email.
HTML originally became popular with the dawn of the public Internet in the mid-1990s. For Web sites, the HTML anchor tag for linking made sense. Instead of showing the actual URL, it is possible to hyperlink text or images. Hostile uses were less of an issue at the time, although some early Web site owners made use of linking to unexpected sites as a form of humour.
HTML rapidly began appearing in email, and over the years every mainstream email vendor has added support. Marketers love being able to control the display of messages, include images, and more attractive “click here” links instead of displaying URLs. HTML email also facilitates retrieving external images; marketers leverage this to track email open rates. This privacy invasion itself should have put an end to HTML email.
Even worse, HTML email directly facilitates phishing. In addition to linking words and images, it is trivial to display one URL and send the user to an entirely different URL when the link is clicked. From a security perspective, this continues to be entirely unacceptable.
There are two simple ways to virtually eliminate phishing. The first is to provide users with an option to disable HTML email display. While this might sound draconian to the marketing crowd, HTML provides very little benefit to the recipient. Instead of crafting cute, flashy emails, send useful information. Plain text is easier to read on PCs and mobile devices. An auto-reply option that informs the sender that their HTML email could not be displayed would help effect change.
The second, softer approach is to always display the real link URL to users. Since mail software is already parsing the HTML, it could display it inline. Or, alternatively, when a user clicks on a link, their mail software could pop up a window displaying the target URL to the user. While it might not be as attractive, it would give users the information they need to make an informed decision.
HTML email is poorly implemented, violates user’s privacy, and enables serious criminal behaviour. If Apple, Google, and Microsoft implemented these simple changes phishing would significantly decrease overnight. It’s time to take the bait out of email.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…