Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / Blogs

Phish-Proofing URLs in Email?

John Levine

For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. Early bank phishes were pretty clumsy, but the crooks have gotten better at it and current phishes can look very authentic. See this archive of recent phishes at antiphishing.org for some examples.

A very common trick is the fake link, in which the link you think you're clicking on isn't the one you're really clicking on, like this:

http://www.bigbank.com

The link looks like it's to bigbank.com, but really it's to a fake web site at badguy.com.

Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. Signature schemes wouldn't need any changes other than for the software that signs the mail to check the mail first and not sign it if it contains nasty stuff.

The hardest part of implementing this is for the banks to adjust the way that they send their mail. I get a fair amount of bank mail, notices that a credit card bill is available, confirming that I've made a change to an account, or that a deposit account has gone above or below a specified amount. Remarkably few of those messages come from anywhere you might recognize. More often than not they come from a service bureau that handles the function for the bank, not from the bank itself. (I passed some of these messages around to experience spam-fighting friends, most of whom couldn't tell whether they were real.)

So the question is, is it worth the effort to make all of the senders and URLs match up? At this point, my feeling is probably not. If we're going to use message signatures, it doesn't matter what's in the message so long as you trust the signer.

By John Levine, Author, Consultant & Speaker
Related topics: Cybersecurity, Email, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Phish-Proofing URLs in Email? Suresh Ramasubramanian  –  Apr 18, 2005 5:32 PM PST

Given all the phishing fears around, a lot of people are not very inclined to trust any email at all that says its from a bank.

Some banks deal with it in different ways ..

1. My wife has a citibank account, and her statement (the only email they're supposed to send her) is in a pdf that has a unique password that's assigned to her.  Phishers would have to already have phish data about a card before generating that password so it is not likely they'd go to the time and expense of phishing there

2. My bank (hsbc) just doesnt send email - they have a closed webmail interface on their ebanking site, where just two entities can send email that each other can see - hsbc support staff through their ticketing system, and me. Works just fine for me, I'd say.

Re: Phish-Proofing URLs in Email? The Famous Brett Watson  –  Apr 18, 2005 6:16 PM PST

On the matter of HSBC, that would explain the tactic used in the latest HSBC-phish I received.

"You did not read our internal security message that have been dispatched last week. You have received an important internal message from our bank concerning your account status. You got this email due to the fact that all other ways of contacting you were either not specified or did not reach you. We strongly advise you to review the message as soon as possible. [...bogus link...]"

Re: Phish-Proofing URLs in Email? Suresh Ramasubramanian  –  Apr 18, 2005 6:47 PM PST

oh - hsbc also has this prominent banner on their homepage that warns you not to click on URLs you get in email ..

hmm.. this time they have a link to a short tutorial on basic internet security linked from there.

take a look at https://www.ebank.hsbc.com.hk to see what i mean.  its a javascript link so i cant post the url here :(

Re: Phish-Proofing URLs in Email? Daniel R. Tobias  –  Apr 19, 2005 7:21 AM PST

Some banks (Citibank is a good example) don't help the situation, since they insist on using a whole profusion of silly-marketing-gimmick domain names instead of logical subdomains of their main domain; this means that customers can never be entirely sure which links are legitimate.  If they were all in citibank.com, you'd know they're real, but instead you have to know that they also use citi.com, citicards.com, a bunch of other citi[something] domains, and also some less-obvious ones like (I think) accountonline.com.

Re: Phish-Proofing URLs in Email? Larry Seltzer  –  Apr 22, 2005 8:10 AM PST

First, for the best banking phish you've ever seen read this page: http://www.antiphishing.org/phishing_archive/04-19-05_BOA/04-19-05_BOA.html

It seems to me that MUAs and e-mail-aware security programs like A/V should be in the business of looking for HTML links where the body of the link is an HTML link that doesn't agree with the actual target. Not hard at all to write. I ought to nag Microsoft to put it in to Outlook Express pronto. 

Re: Phish-Proofing URLs in Email? Daniel Golding  –  Apr 22, 2005 7:17 PM PST

Banks should simply not include links in their communications. If a bank or other institution must communicate via unencrypted email, they should simply say "visit our secure website for a message", with no link at all. If we have online banking we already know how to find the bank's website, don't we?

Also, isn't it high time that all online banking users received SecurID's when they open their accounts? The price per unit is extremely low now, and it seems like a reasonable precaution.

Re: Phish-Proofing URLs in Email? Justin Bajko  –  Apr 26, 2005 11:58 AM PST

Agreed regarding the comment about bank customers receiving SecurID tokens. Identity management is a subject that is most often sorely overlooked in the financial sector when it comes to it's customers. Almost every person I know that works for a bank in a technical capacity carries a SecurID token, so the infrastructre is obviously in place. Why not extend it to the customers?

Also, banks require that users have browsers capable of encryption, so, why not require that they have e-mail clients that are equally capable? Signed and encrypted e-mail would go a long way to thwart this stuff, if you ask me, and the process to install a personal certificate is really not that complicated.

Re: Phish-Proofing URLs in Email? Alec Berry  –  Apr 27, 2005 7:59 AM PST

Is this necessary? I have installed ClamAV and Spamassassin on our mail server, the few phishing attempts that make it through Clam get stopped by the URL lookups in Spamassassin.

I do like the idea of SecureIDs, however. How about using the fancy microchip that's embedded in my bank card?

Re: Phish-Proofing URLs in Email? Suresh Ramasubramanian  –  Apr 27, 2005 8:01 AM PST

So you think email is the only channel phishes are sent over? :)

Re: Phish-Proofing URLs in Email? Alec Berry  –  Apr 27, 2005 8:06 AM PST

No, but that is what the article is about. I'm not sure what other types of phishing channels you are referring to… hacking the bank's home page is a different technical issue (has that been done yet?).

Re: Phish-Proofing URLs in Email? Doug Otis  –  May 01, 2005 3:31 PM PST

I agree that simply trusting the signature would be a way banks could prevent phishing.  Currently S/MIME is readily available, but a major OS manufacturer's prevalent use of “pretty” names rather than showing the mailbox address (which indicates the key selected) greatly weakens this solution.  DomainKeys also looks interesting in respect to offering real sender protections.  At least with a signature scheme, if there is a breach in security, there are fewer places that problems could occur. 

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Mobile Internet

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.