Interesting People mailing list archives
ACM e-mail looks like Phishing -- again! [RISKS] Risks Digest 24.08
From: David Farber <dave () farber net>
Date: Wed, 26 Oct 2005 19:11:27 -0400
Begin forwarded message: Date: Tue, 18 Oct 2005 15:08:08 -0500 From: James Garrison <jhg () athensgroup com> Subject: ACM e-mail looks like Phishing -- again!The organizations that should know better just don't seem to be learning.
Today I received a request to participate in a survey, titled "New ACMProducts/Services Survey" (I am a member of ACM). There were a number of
things wrong with it: 1) The "From" address was not an acm.org address. 2) The link to the survey pointed to a site also not in acm.org 3) The survey link included an opaque token 4) The message was not digitally signed The fact that the from address and link don't point back to acm.org is aclassic hallmark of phishing. The fact that the link contained an opaque
token marks it as possible e-mail address harvesting. The lack of asignature means it's not possible to validate the message's authenticity.
Actually, come to think of it, items 1 & 2 may ironically point to themessage's authenticity. A real phisher would have made sure the reply-to address and displayed link were in acm.org. So this is either genuine or a
very incompetent phisher :-)Unfortunately, this is the third such e-mail I've received from the ACM in the past couple of years. Each time I point out the obvious problems, and get a polite, if miffed-sounding reply. And nothing changes. How hard is it to buy a copy of PGP (or install GPG) and publish a key for this purpose
on the ACM's website?Of all organizations in the world, I would hope that ACM would be leading the battle against e-mail fraud by example, not lagging far behind. Yes, I
know key management isn't simple, but you'd think it would be worth the effort for the ACM. James Garrison, Athens Group, Inc. 5608 Parkcrest Dr Austin, TX 78731 http://www.athensgroup.com 1-512-345-0600 x150 jhg () athensgroup com ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- ACM e-mail looks like Phishing -- again! [RISKS] Risks Digest 24.08 David Farber (Oct 26)