Buy Today!
Book Cover
The Music Video
You've got to see it to believe it: Check out the "Mister Spam Man" video at YouTube.
Search Dispatches
Archives
May 2019
March 2019
August 2018
July 2018
June 2018
May 2018
April 2018
December 2017
November 2017
September 2017
August 2017
July 2017
February 2017
March 2016
January 2016
November 2015
May 2015
April 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
April 2013
February 2013
January 2013
December 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
Dispatches RSS Feed
Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Wrong Hotel Transaction Nonsense | Main | More "Open The Attachment" Tricks »

August 01, 2011

Interesting Apple Mail Phishing Protection

One of those continually obnoxious Bank of America phishing email messages landed in my inbox this morning. I don't even have to open the message to know it's a phony because the Subject: line claims my online banking account has been blocked (or, in today's message "Account as Been Blocked" — WTH?).

Such messages are usually written with HTML so they can provide what looks to be a link to BofA, but whose real destination is some other site that tries to grab your login credentials. I do tend to open these messages just to see if the crooks are doing anything new in social engineering (that hasn't been used repeatedly for over a decade). I'll run the cursor over the link to see where the real destination is.

[Pause that thread for a moment.]

I recently switched my email client from Microsoft Entourage to Apple's own Mail program. My reason for the switch is that I had read plenty of negative things about the most recent Mac Office upgrade to email (now a Mac version of Outlook). Eventually for other client work, I'll need to upgrade to the newest Office, and with Apple continuing to obsolete older program generations with OS updates, I felt that my comfy Entourage's days were numbered (perhaps a big number now, but that won't last). And so, with trepidation about converting over a decade of email history in the process, I gave Apple Mail a try.

The transfer of old email messages was as tedious as some online discussions had suggested it would be. Apple Mail seems to choke on trying to convert too many Entourage emails in one gulp. After much twiddling and relaunching of Mail, I finally got the historical archive into Mail.

Having lived with Mail for a couple of weeks now, I can say that I'm satisfied with it. I do like the single inbox for all my accounts and services (like I use on the iPhone), but I also have a couple of UI suggestions for Apple. This isn't the place for those, so let's move on.

[We now rejoin the previous thread.]

When you run the cursor over an HTML link in Entourage, the actual destination URL appears in both the bottom of the window (immediately) and in a tooltip (after the usual delay). In Mail, the destination URL comes up only in a tooltip, so I have to wait a second or two for that to appear. When I ran the cursor over today's BofA phishing message, imagine my surprise when the tooltip showed the real bankofamerica.com domain (albeit to an unlikely subdirectory). Cue the sound of screeching tires.

Bank of America phishing page with bankofamerica.com tooltip

From other examples, I knew that Mail's link tooltips expand to show the entire URL, even if it runs to multiple lines. Therefore, this wasn't being truncated. At first, I thought (haughtily) that the crook had improperly coded the link tag, and that his entire phishing run would be for naught. Off to the source code!

<a rel="nofollow" href="http://www.1004bang.net/[removed]/index.html" target="_blank"><font color="#da0000"><strong><span> https://www.bankofamerica.com/unlock/</span> </strong></font></a>

So, the actual destination — a hijacked Korean web site — is in the link, but the HTML markup also includes a rel="nofollow" attribute. Although the rel attribute is part of the HTML standard, the usage of "nofollow" is somewhat controversial and applies primarily to influencing search engines. If you want to follow the paths on this subject, have a blast.

Getting back to Apple Mail's interpretation of this "nofollow" link, I was concerned that by displaying a tooltip with the tag's enclosed text, rather than the destination URL, users who knew enough to check URLs before clicking might be given the wrong information. The link could look "safe," when, in truth, the link could lead to a phony, credential-snarfing page.

What happens when a user clicks on a link marked this way?

To my surprise and delight, the default browser opened with the URL that showed up in the tooltip, not the link's href. Of course, bankofamerica.com has no "unlock" subdirectory off its root, so the server dutifully said it was a bad address ("Page Not Available").

Somewhere in the bowels of Apple Mail programmingdom, they determined that any HTML-formatted message that employed a rel="nofollow" attribute (whose usage is intended only for web site pages being crawled by search engines) is probably up to no good. This buried feature probably saved some Mac users from falling for this phishing trap.

Out of curiosity, I forwarded the message to my iPhone to see if its email client acted the same way. Few iOS Mail users know that you can tap-and-hold on a link to view the link's actual destination URL without navigating to the link. Unfortunately, the iPhone Mail app doesn't act the same way Mac Mail does. We need to be on our guard when we're on the go.

I guess this was a long piece just to describe my glee in finding an email client that takes a small step to protect users from crooks.

Posted on August 01, 2011 at 12:22 PM