I'm about to hit the road to go get my nails done and drive
down to Fairfax and set up sound for the
Homespun Ceilidh Band
gig tonight, and I'll likely be pretty much out of net-contact for
the rest of the weekend (but hey, the comments will still be here
when I'm back within reach). Before I go, I've got a question
about the latest phishing spam I noticed in my mailbox...
Does this bit do what I think it does?
<a href="http://211.235.241.129/webscr/"
onMouseOver="window.status='https://www.paypal.com';return true;"
onMouseOut="window.status=' '; return true;">
Click here to verify your Information</a>
It looks (to this reader who doesn't know Javascript) as though
it'll make the little spot in the tool/widget-bar that normally
displays the actual URL of a link when you mouse over it, display
the link they want you to think you'd be going to instead of the
one actually pointed to. Am I right? Does this work in most
browsers (or, more importantly, HTML-aware mail apps) if Javascript
is turned on?
'Cause if so, that's kind of icky. It means we can't just tell
our stuck-with-dangerous-MUA friends and our insufficiently-net-savvy
relatives to simply "make sure the tooltip URL and the displayed
URL agree" to check for phishing. They really would have to go and
view the source of each email message that includes links, and be
patient enough (or have a sharp enough eye) to wade through the
really fugly layout of the HTML code for most of these messages
in order to spot this. Yuck. It's one thing for me to say, "Oh,
that looks fishy but I'll open it anyhow; oh look, messy HTML,
even more fishy; ah, there's the HREF, and looky at that, it points
to a non-PayPal address." It's a whole 'nuther think to expect
my mother to do it. (She can run rings around me in modern versions
of Word Perfect, but she'd be lost diving into HTML source.)
Worse, someone I spoke to at a photo lab who was complaining
about her computer setup discovered that if she turns off
Javascript in her mail app, a whole lot of things she depends on
break (apparently the MUA configuration and the browser
configuration interact even though they give the appearance of being
two separate programs ... I was confused, but then I use neither Outlook
nor Internet Explorer and have no idea how they affect each other).
Unfortunately, my ranting Yet Again about how [expletive]ed up it
is to have MAIL CLIENTS [expletive]ing EXECUTE [expletive]ing
UNTRUSTED CODE sent as [expletive]ed attachments, will a) take too
much time and b) do nothing to solve this problem since idjits at
various companies have already saddled users with that particular
greivous error.
<voice tone="curmudgeon">Basically, nobody should
be using those newfangled GUI Trojan horses disguised as mail programs,
but that's easy for me to say because I don't like the user interface
of any of them that I've seen so far anyhow.</voice>
If the above snippet of code does do what I think it does, and
does it most places, then I guess the only sane approach for anyone
who is stuck using a vulnerable MUA (i.e. one that executes Javascript)
is: never click on a link in an email message, ever.
(Remember that most worms these days will forge a return address from
the infected machine's address book, which means there's a good change
they'll look like they come from someone you know. If someone
incorporates a phishing scheme into a worm -- I'm betting it's been
done by now -- then even "only click links in mail from people you
know" isn't safe.) Which pretty much makes the program's ability to
make links clickable a wasted feature, but oh well.