Sunday, February 25, 2007

Separating actual urls hidden behind the link can help reduce phishing

Lately i have been getting a lot of phishing emails in my inbox. Over the years yahoo has done a good job in redirecting those to spam folders. Of course every now and then one or two might slip through the cracks but its only until recently when i started getting a lot of phishing emails in my inbox. Emails for washington mutual, paypal, bank of america, etc. It didnt matter if i have an account with them or not. Luckily Over time i have developed a habit of dragging my mouse over the link to see what is the actual url behind the link. Sure enough, it was taking me to some other website instead of what was shown in the link. What surprises me most is that though phishers have been using the same old method of deceiving the users by making them click on fake urls, the industry is still trying to find all the possible means but not separating the actual url from the link.

Here is an example. I received this in my yahoo mail today. If you drag your mouse over the link, you will see the actual url is something else as mentioned in the link. (Be careful if you click on the url)
https://www.paypal.com/row/vst/id=11791677P5757633F

I know its an ongoing battle between the product managers and the security professionals on Where do you draw a line between a feature and the security. Allowing a user to click on a url is the basic feature of a html page. Html emails use the same feature which is exploited by the phishers and with a great success rate. The point i am trying to make here is email providers are spending a lot of money in creating a robust phishing detection mechanism but giving no attention to the urls. How hard it is to match the actual url with the text mentioned in the link. If it doesnt match then based on other criterias it can be marked as phishing email/spam. If they dont want to mark it as phishing emails, the least they can do is display the actual url separately from the link and let the user copy and paste it, if they want to. Its not a huge inconvenience to the user but at the same timeit can help reduce phishing attempts from the malicious people.

If a phishing url could be displayed like this,

https://www.paypal.com/row/vst/id=11791677P5757633F (http://reseller4.ultrawhb.com/~mrbouble/.public/login.html)

then at least the customer is not fooled and if he copies and pastes the wrong url then there is no solution to that.

No comments: