Educause Security Discussion mailing list archives

Re: URL switching in e-mails

From: Justin Sipher <jsipher () SKIDMORE EDU>
Date: Tue, 3 Jan 2006 16:11:06 -0500

We are looking specifically for non matching URL's.  Here is a real
example from an e-mail from Palm which I received.

Here is what the messages SAYS:

Or you can download software directly to your Treo smartphone
wirelessly, by directing your browser to www.palm.com/mobiledownloads/

(with the URL above being a hyperlink in HTML mail)

Here is what the message shows after we add out insert:


Or you can download software directly to your Treo smartphone
wirelessly, by directing your browser to MailScanner has detected a
possible fraud attempt from "palm.r.delivery.net" claiming to be
www.palm.com/mobiledownloads/

The reason is because the hyperlink behind the URL www.palm.com/
mobiledownloads/ really goes to http://palm.r.delivery.net/r/r?1.1.E_.
81.1UErBj.CFGK4_..N.Cnye.1H8s.3J_XBO

Now if you click on the link it goes to the delivery.net site and
then does an immediate redirect to the advertised URL  which is
www.palm.com/mobiledownloads/  My guess is that delivery.net is tied
to some mass marketing company and this special URL is triggering
some counter to increase so they can show penetration to the folks at
Palm, maybe for bigger compensation.  I don't fault them for this,
but this is the same technique used in Phishing so we feel an
obligation to let our users know when a URL is not as advertised and
we can't segregate (that I'm aware of) valid deception from that we
don't want.

We are not able to see if the URL behind a link which says go to the
Palm homepage is really a URL to a palm.com address.  So in the cases
where the link is not tied to an advertised URL we don't edit the
message content.

I hope this helps.

Thanks,
...Justin
_______________________________________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu
  518-580-5909
_______________________________________________________

On Jan 3, 2006, at 3:48 PM, David Gillett wrote:

  Does your detector distinguish between "URLs" that are
misleading, and text links?  i.e.:

OK:
  <a href="http://www.goodguy.com>Good Guy Site</a>

Not OK:
  <a href="http://www.badguy.com>http://www.goodguy.com</a>

David Gillett

-----Original Message-----
From: Justin Sipher [mailto:jsipher () SKIDMORE EDU]
Sent: Tuesday, January 03, 2006 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] URL switching in e-mails

All,

Happy New Year.  I am curious to know how others deal with
this e- mail related issue.  As a part of our process to
protect our user
community we do a variety of things from a SPAM and A/V
perspective.
One thing we do is look for "bait-and-switch" URL swapping
which is all too often used for Phishing.  What I mean is
when in a HTML based e-mail is says one URL but the
associated hyperlink is to a different URL.  Our current
approach is to insert text into the body of the messages to
alert our user to this discrepancy.  The text we insert looks
like this (with fictional URL's in this case).

MailScanner has detected a possible fraud attempt from
"www.bogus.com" claiming to be http://www.real-url.com


We are now getting some push back from users claiming that
this inserted text makes it "beyond difficult" to read the
messages clearly. (please don't laugh)  So, I am asking all
of you if you do similar things or even if you do different
things?  I would be curious to know what is the "standard"
practice within Higher Ed if there is one.  What is happening
is that there are legitimate organizations using this
technique as a part of mass e-mails as I believe it is doing
a simple redirect to the actual URL after it inventories the
fact that the link was clicked on.  Legitimate examples I
have seen of this technique are in the University Business
daily e-newsletter, propaganda from Palm, the Chronicle of
HE/Gartner Symposium announcement, and even an e-mail from EDUCAUSE.

Anyone else looking out for this practice and if so, how are
you addressing it?

Thanks,
...Justin

_______________________________________________________
   Justin Sipher
   Chief Technology Officer
   Skidmore College
   Saratoga Springs, NY
   jsipher () skidmore edu
   518-580-5909
_______________________________________________________

Current thread:

URL switching in e-mails Justin Sipher (Jan 03)
- <Possible follow-ups>
- Re: URL switching in e-mails Ken Connelly (Jan 03)
- Re: URL switching in e-mails Valdis Kletnieks (Jan 03)
- Re: URL switching in e-mails Joel Rosenblatt (Jan 03)
- Re: URL switching in e-mails David Gillett (Jan 03)
- Re: URL switching in e-mails Justin Sipher (Jan 03)
- Re: URL switching in e-mails Alan Amesbury (Jan 03)
- Re: URL switching in e-mails Valdis Kletnieks (Jan 03)
- Re: URL switching in e-mails Alan Amesbury (Jan 03)
- Re: URL switching in e-mails Valdis Kletnieks (Jan 03)
- Re: URL switching in e-mails Cal Frye (Jan 04)