Re: URL switching in e-mails

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Here is a sample of what we do:

The XX-XU-modified: line is added:

X-CU-modified: BADURL http://61.156.7.140/www.marklebank.com/login.htm deactivated

And the link is commented out:

<!-- <a href="http://61.156.7.140/www.marklebank.com/login.htm";> -->Renew now<!-- </a>

The email looks the same, but you cannot click on the bad link by accident.

Joel Rosenblatt


Reply-To: <iBanking () markle com>
From: "iBanking () markle com"<iBanking () markle com>
Subject: Renew your Online Banking  information on Markle Bank
Date: Tue, 3 Jan 2006 15:26:42 +0200
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server1517.dnslive.net
X-AntiAbuse: Original Domain - columbia.edu
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - markle.com
X-Source:
X-Source-Args:
X-Source-Dir:
To: undisclosed-recipients:;
X-CU-modified: BADURL http://61.156.7.140/www.marklebank.com/login.htm deactivated
Content-Disposition: inline
X-Scanned-By: MIMEDefang 2.48 on 128.59.28.164

<FONT face=Arial size=2>&nbsp;
Dear Markle Bank&nbsp;Customer,<BR>&nbsp;
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp; This is your official notification from Markle Bank that the service(s) listed below<BR>&nbsp;&nbsp; 
will be deactivated and deleted if not
renewed immediately. Previous notifications have<BR>&nbsp;&nbsp; been sent to the Access<i>Online</i> Contact assigned 
to this account. As the Primary Contact,
you<BR>&nbsp;&nbsp; must renew the service(s) listed below or it will be deactivated and deleted.
       <!-- <a href="http://61.156.7.140/www.marklebank.com/login.htm";> -->Renew now<!-- </a> --></DIV>
<DIV><BR>&nbsp;&nbsp; SERVICE : Markle Bank&nbsp;<EM></EM>Access<i>Online.</i> with Bill Payment.<BR>&nbsp;&nbsp;
 EXPIRATION: January&nbsp;1, 2006</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&nbsp;&nbsp; Thank you,</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp;&nbsp;Markle Bank&nbsp;Online Banking Support, N.A.</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&nbsp;&nbsp; *****************************************************************************<BR>&nbsp;&nbsp; 
IMPORTANT CUSTOMER SUPPORT
INFORMATION<BR>&nbsp;&nbsp; *****************************************************************************</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp; Please do not reply to this message. For any inquiries, contact Customer Service.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp; Document Reference: (92051208).</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp; Markle Bank, N.A. Member FDIC.&nbsp; Equal Housing Lender.<BR>&nbsp;&nbsp;
       Copyright ) 2005 Markle Bank, N.A. All rights reserved.</DIV>



--On Tuesday, January 03, 2006 2:04 PM -0500 Justin Sipher <jsipher () skidmore edu> wrote:

> All,
>
> Happy New Year.  I am curious to know how others deal with this e- mail related issue.  As a part of our process to 
> protect our user  community we do a
> variety of things from a SPAM and A/V perspective.   One thing we do is look for "bait-and-switch" URL swapping which 
> is  all too often used for Phishing.
> What I mean is when in a HTML based  e-mail is says one URL but the associated hyperlink is to a different  URL.  Our 
> current approach is to insert text into
> the body of the  messages to alert our user to this discrepancy.  The text we insert  looks like this (with fictional 
> URL's in this case).



Joel Rosenblatt, Senior Security Officer & Windows Specialist, CUIT
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel - You can't spell seCUrITy without CUIT