[149683] in North American Network Operators' Group
Re: Dear RIPE: Please don't encourage phishing
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sat Feb 11 19:10:55 2012
In-Reply-To: <F08F9451-BE4A-4E04-8FA6-382ED92CF832@cs.columbia.edu>
Date: Sat, 11 Feb 2012 18:10:03 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Steven Bellovin <smb@cs.columbia.edu>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Feb 10, 2012 at 10:56 AM, Steven Bellovin <smb@cs.columbia.edu> wrote:
You know, clickable objects in automated business communications are a
standard practice,
the larger the organization sending the message, the more complicated
and annoying their standard e-mail template full of HTML eyecandy, the
more clickable links to improve accessibility, and banks among the
worst offenders.
Those encourage phishing, because HTML just provides way too many
methods of faking a URL, or making a 'button' or 'link' go to
somewhere else besides what is suggested by the e-mail text.
All an e-mail user needs to do is click on one unknown link, to be
quietly diverted to a fake website, that will then ask the user to
"change" a password; it makes no difference whether the e-mail
itself is about passwords or a security issue or not.
Convincing the user to "log in" can be done while they are visiting
the fake website.
There are plenty of phishers that rely on convincing users to hit the
'reply' button and divulge sensitive info, with no clickable items
in the message at all.
But this particular item from RIPE here appears to be a plain text message...
text/plain
The message from RIPE is darn benign, and does not really encourage
phishing moreso.
When was the last time you saw a phishing attempt in a text/plain
e-mail showing the name of a HTTPS location
on the real organization's web site ?
If sending out a web address "encourages phishers", then what are
they supposed to provide to make sure maintainer users can easily
and quickly change their password?
RIPEs not encouraging phishing by sending such a message. MUA
developers who included text/html MIME type support and support
creating clickable objects in a HTML message have encouraged
convincing phishing very much so.
What RIPE did there is a perfectly example of what should be done.
Send plain text e-mail with the URL location to review, no HTML
doodads.
They have no control of your e-mail client that for some reason
perhaps turns a plaintext URL into something you can click.
> I received the enclosed note, apparently from RIPE (and the headers check out).
> Why are you sending messages with clickable objects that I'm supposed to use to
> change my password?
>
--
-JH
