Phishing Question [Δαφνη Ευτυχια Αρθουρος]

I'm about to hit the road to go get my nails done and drive down to Fairfax and set up sound for the Homespun Ceilidh Band gig tonight, and I'll likely be pretty much out of net-contact for the rest of the weekend (but hey, the comments will still be here when I'm back within reach). Before I go, I've got a question about the latest phishing spam I noticed in my mailbox...

Does this bit do what I think it does?

<a href="http://211.235.241.129/webscr/" 
   onMouseOver="window.status='https://www.paypal.com';return true;" 
   onMouseOut="window.status=' '; return true;">
   Click here to verify your Information</a>

It looks (to this reader who doesn't know Javascript) as though it'll make the little spot in the tool/widget-bar that normally displays the actual URL of a link when you mouse over it, display the link they want you to think you'd be going to instead of the one actually pointed to. Am I right? Does this work in most browsers (or, more importantly, HTML-aware mail apps) if Javascript is turned on?

'Cause if so, that's kind of icky. It means we can't just tell our stuck-with-dangerous-MUA friends and our insufficiently-net-savvy relatives to simply "make sure the tooltip URL and the displayed URL agree" to check for phishing. They really would have to go and view the source of each email message that includes links, and be patient enough (or have a sharp enough eye) to wade through the really fugly layout of the HTML code for most of these messages in order to spot this. Yuck. It's one thing for me to say, "Oh, that looks fishy but I'll open it anyhow; oh look, messy HTML, even more fishy; ah, there's the HREF, and looky at that, it points to a non-PayPal address." It's a whole 'nuther think to expect my mother to do it. (She can run rings around me in modern versions of Word Perfect, but she'd be lost diving into HTML source.)

Worse, someone I spoke to at a photo lab who was complaining about her computer setup discovered that if she turns off Javascript in her mail app, a whole lot of things she depends on break (apparently the MUA configuration and the browser configuration interact even though they give the appearance of being two separate programs ... I was confused, but then I use neither Outlook nor Internet Explorer and have no idea how they affect each other). Unfortunately, my ranting Yet Again about how [expletive]ed up it is to have MAIL CLIENTS [expletive]ing EXECUTE [expletive]ing UNTRUSTED CODE sent as [expletive]ed attachments, will a) take too much time and b) do nothing to solve this problem since idjits at various companies have already saddled users with that particular greivous error.

<voice tone="curmudgeon">Basically, nobody should be using those newfangled GUI Trojan horses disguised as mail programs, but that's easy for me to say because I don't like the user interface of any of them that I've seen so far anyhow.</voice>

If the above snippet of code does do what I think it does, and does it most places, then I guess the only sane approach for anyone who is stuck using a vulnerable MUA (i.e. one that executes Javascript) is: never click on a link in an email message, ever. (Remember that most worms these days will forge a return address from the infected machine's address book, which means there's a good change they'll look like they come from someone you know. If someone incorporates a phishing scheme into a worm -- I'm betting it's been done by now -- then even "only click links in mail from people you know" isn't safe.) Which pretty much makes the program's ability to make links clickable a wasted feature, but oh well.

if you pass wheaton at about 11:00pm you can pick up the hubs.

[link] [reply]

Not likely tonight, but I might be able to hit that timing Sunday, Monday, or Tuesday, depending on when I head back home.

[link] [parent] [reply]

It really does mean that. And yes, it's consequently a bad idea to click on a link in an email, ever (unless you're sufficiently clueful, but it's a really bad idea to mention that possibility to someone who isn't, because they think they are).

I go into the Advanced thingy under the preferences for JavaScript in Firefox and disable "change status bar text" (and everything else except the accursed "change images"). Besides my real purpose, disabling obnoxious marquees, this lets me trust my status bar again (not that I do).

It DOES work on: IE 5.2.2; Camino v0.8; Netscape 4.7

It DOES NOT work on: Safari 1.0; Firefox 1.0

Yeah, that trick works in IE and probably in Outlook, too. (Though I don't remember off the top of my head)

However, in order to get around stuff like that you don't have to be at all code-savvy or even actually turn off anything. There's an option in Outlook that lets you view messages in "plain-text format", which just means that it doesn't display any of the HTML and probably doesn't run Javascript, either. It doesn't convert the original message itself to plain text, just lets you view it that way. This probably means that HTML messages come out looking a lot like they do in your client, but, being a newly-converted Mac person, I have no way of knowing for sure.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
1 1	2 1	3 1	4 1	5 1	6 1	7 1
8 1	9 1	10 1	11 1	12 1	13 1	14 1
15 1	16 1	17 1	18 1	19 1	20 1	21 1
22 1	23 1	24	25	26	27	28
29	30	31

Δαφνη Ευτυχια Αρθουρος

Phishing Question

(no subject)

(no subject)

(no subject)

Mac Tests

(no subject)

Links

January