August 01, 2011Interesting Apple Mail Phishing Protection
One of those continually obnoxious Bank of America phishing email messages landed in my inbox this morning. I don't even have to open the message to know it's a phony because the Subject: line claims my online banking account has been blocked (or, in today's message "Account as Been Blocked" — WTH?).
Such messages are usually written with HTML so they can provide what looks to be a link to BofA, but whose real destination is some other site that tries to grab your login credentials. I do tend to open these messages just to see if the crooks are doing anything new in social engineering (that hasn't been used repeatedly for over a decade). I'll run the cursor over the link to see where the real destination is.
[Pause that thread for a moment.]
I recently switched my email client from Microsoft Entourage to Apple's own Mail program. My reason for the switch is that I had read plenty of negative things about the most recent Mac Office upgrade to email (now a Mac version of Outlook). Eventually for other client work, I'll need to upgrade to the newest Office, and with Apple continuing to obsolete older program generations with OS updates, I felt that my comfy Entourage's days were numbered (perhaps a big number now, but that won't last). And so, with trepidation about converting over a decade of email history in the process, I gave Apple Mail a try.
The transfer of old email messages was as tedious as some online discussions had suggested it would be. Apple Mail seems to choke on trying to convert too many Entourage emails in one gulp. After much twiddling and relaunching of Mail, I finally got the historical archive into Mail.
Having lived with Mail for a couple of weeks now, I can say that I'm satisfied with it. I do like the single inbox for all my accounts and services (like I use on the iPhone), but I also have a couple of UI suggestions for Apple. This isn't the place for those, so let's move on.
[We now rejoin the previous thread.]
When you run the cursor over an HTML link in Entourage, the actual destination URL appears in both the bottom of the window (immediately) and in a tooltip (after the usual delay). In Mail, the destination URL comes up only in a tooltip, so I have to wait a second or two for that to appear. When I ran the cursor over today's BofA phishing message, imagine my surprise when the tooltip showed the real bankofamerica.com domain (albeit to an unlikely subdirectory). Cue the sound of screeching tires.
From other examples, I knew that Mail's link tooltips expand to show the entire URL, even if it runs to multiple lines. Therefore, this wasn't being truncated. At first, I thought (haughtily) that the crook had improperly coded the link tag, and that his entire phishing run would be for naught. Off to the source code!
<a rel="nofollow" href="http://www.1004bang.net/[removed]/index.html" target="_blank"><font color="#da0000"><strong><span> https://www.bankofamerica.com/unlock/</span> </strong></font></a>
So, the actual destination — a hijacked Korean web site — is in the link, but the HTML markup also includes a rel="nofollow" attribute. Although the rel attribute is part of the HTML standard, the usage of "nofollow" is somewhat controversial and applies primarily to influencing search engines. If you want to follow the paths on this subject, have a blast.
Getting back to Apple Mail's interpretation of this "nofollow" link, I was concerned that by displaying a tooltip with the tag's enclosed text, rather than the destination URL, users who knew enough to check URLs before clicking might be given the wrong information. The link could look "safe," when, in truth, the link could lead to a phony, credential-snarfing page.
What happens when a user clicks on a link marked this way?
To my surprise and delight, the default browser opened with the URL that showed up in the tooltip, not the link's href. Of course, bankofamerica.com has no "unlock" subdirectory off its root, so the server dutifully said it was a bad address ("Page Not Available").
Somewhere in the bowels of Apple Mail programmingdom, they determined that any HTML-formatted message that employed a rel="nofollow" attribute (whose usage is intended only for web site pages being crawled by search engines) is probably up to no good. This buried feature probably saved some Mac users from falling for this phishing trap.
Out of curiosity, I forwarded the message to my iPhone to see if its email client acted the same way. Few iOS Mail users know that you can tap-and-hold on a link to view the link's actual destination URL without navigating to the link. Unfortunately, the iPhone Mail app doesn't act the same way Mac Mail does. We need to be on our guard when we're on the go.
I guess this was a long piece just to describe my glee in finding an email client that takes a small step to protect users from crooks.Posted on August 01, 2011 at 12:22 PM