Educause Security Discussion mailing list archives

Re: Phishing Links


From: Pete Hickey <pete () SHADOWS UOTTAWA CA>
Date: Wed, 7 Jul 2010 16:34:01 -0400

The problem with this is why phishing is successful.

MOST people are not fooled.  The people who would go to such a web
site for verification are those who would not be fooled.  It is
the outer edges of the bell curve that are getting caught,and these
people would most likely not visit such a page for verification.


On Wed, Jul 07, 2010 at 08:29:36PM +0000, Flynn, Gary - flynngn wrote:
One of the things I?ve been mulling about is to post the email to a web site, accessible to the recipients, for large 
scale communications or anything associated with:


  1.  passwords
  2.  client configuration changes
  3.  finance
  4.  other sensitive transactions

Then it would be a matter of training people to manually browse to the soon to be well known web site to verify any 
messages associated with those topics. Of course, there would be the overhead of managing the web site but I would 
think for bulk mail type scenarios, a bulk mailer program could be programmed to:

  1.  Get a list of recipients (since it has to do that anyway)
  2.  Get the message contents (since it has to do that anyway)
  3.  Assign a unique identifier to the message (probably made up of date/time/sender information to make it easy to 
create and easy for a recipient to look up)
  4.  Post the message contents to a web page using a path making the unique identifier a usable URL
  5.  Alter the access controls to the web page to be accessible only by the recipients (assuming access control is 
necessary)

The recipient who wanted to verify the message would go to the well known web site, perhaps prominently displayed on 
a portal, look for the unique identifier in the list of messages, and be able to verify its legitimacy.

The key would be training people NOT to click a link in the message to get to the verification web site and getting 
people who send messages with sensitive subjects to use the system.



On 7/7/10 2:05 PM, "James Farr '05" <jfarr () UTICA EDU> wrote:

It is hard to educate some users on the difference between legitimate and phony web links in email, and it is easy 
enough to fake a website. For that reason I would like to propose that no official college communication is sent with 
an active link in it.
Problems,
Some clients while trying to be helpful make links clickable that I do not want clickable.
Links can be inserted as a picture, but not all clients show pictures by default.
We can give directions to a website, in order to check your mail go to our homepage, click on login and select 
webmail, but some users cannot/will not follow those instructions.

Would this solution cause more harm than good?

What are your thoughts/rules?

IITS will never ask you for your password.  Never email your password to anyone.

James Farr
Information Security Officer
Instructional Technologist
Utica College
jfarr () utica edu <mailto:jfarr () utica edu>
315-223-2386




-- 
Pete Hickey                         
The University of Ottawa            "Everyone knows someone 
Ottawa, Ontario                      who knows someone else"
Canada                            


Current thread: