Orcmid's Lair

Welcome to Orcmid's Lair, the playground for family connections, pastimes, and scholarly vocation -- the collected professional and recreational work of Dennis E. Hamilton

This page is powered by Blogger. Isn't yours?

2004-08-29

 
I'm soberly leafing through an Umberto Eco essay when Spanner Wingnut comes panting up the stairway from the lab, dragging his portable with him.  I say dragging because it is some kind of souped-up Osborne sewing-machine crate running XPSP2 and trailing an extension cord that would have shorted my grandmother's teakettle.

Spanner (who looks more like Mr. Mole every day) peers at me through his bottle-glass spectacles while having some kind of Bob Golthwaite moment. "Look'cheer," he wheezes, pointing excitedly at the display on his rig.

"Stand still and stop drooling on the screen," I remark calmly, wondering if you can short a monitor that way.

Oh,

This is a simulated phish image.  Do you reall want to click here?



"Well you twit, you've been spammed and phished," I say knowingly. "At least you don't have an account with that bank.  How often have I had to tell you, Use Protection!"

"No, no, look'cheer" as he elbows me working the trackball,

Find the equivalent of this in your mail reader. You'll love it.

and then ...

Uh excuse me, but if you wouldn't click on the phish, why would you click on this?

well, would you look at that?

"Dunderhead!  You didn't know that?  How do you think teen-agers sneak homework answers to their pals using their parents computers?  Everybody knows about that," I bark, wondering at how the little newt manages to come up with one after the other of these little cuties.

"And pick up that cord neatly.  It looks like the rats have been chewing it."

As Spanner slouches back to his subterranean warren, I wonder if there is a patent attorney available on a Sunday and where can I announce the remarkable von Clueless phish-detector.  First, I need a dated entry in my lab notebook.  Oh, and I bet I can get Orcmid to give me space in exchange for Spanner cleaning up his blog messes.  That's the ticket ...
Comments:
Very interesting, professor ....

But I have some questions:

1. The first image shows the mouse over the link. Does it also do the link thing on other parts of the message image?

2. And does a user have the opportuniity to compare the actual link to the one in the message? Or is it really a good job with a spoofed link?

3. Do all mail readers display images inline? This is not a rhetorical question. In my experience with Mozilla Thunderbird (which I've set only to display "simple" HTML (whatever the heck that is)), images appear as attachments. So I don't know what this message would look like in my reader.

And I don't have an answer to your teaser.
 
Hi Bill, interesting questions. Here's what I know about them:

1. The clickable-link cursor (the pointing hand) is the same over the entire image.  I was maybe too clever parking the cursor where I did before taking the screen shot.

2. There is a nest of spoofs.  First, the image provides a picture of a link.  Secondly, if your mail-viewer or browser shows you a link (say, down in the status line of Internet Explorer), it is likely to be the same https link that is in the image.  Third, if you actually click on the image, yet-another-URL may be used, one you haven't been shown.  This seems to take advantage of a glitch in how image maps work.  Fourth, if you do end up going to the hidden phish-hook URL, the page that is ultimately presented will have the address bar and most other window-frame material suppressed, enhancing the deception that the pop-up has something to do with the legitimate page that is brought up by a clever redirection.  Finally, all of this depends on the fact that browsers are very loosey-goosey about the HTML they accept, using malformed-but-accepted HTML to carry out their endeavors.  There was a time when that may have made sense.  It appears that time is now past.

3. The message in my example was a MIME 1.0 with Content-type multipart/related.  This is how images, buttons, scripts, and other fragments are bundled together in one payload for your viewing pleasure.  You also don't have to be on-line to view the message properly (I wasn't).  Here's a simple experiment that you can make:  (a) Using Internet Explorer, browse to a page that has images, logos, buttons and other goodies.  (b) Use the File | Save As ... dialog to save the file as Web Archive single file (.mht).  (c) View the saved file in IE (and your other browsers) while off-line.  (d) Then open the file in Notepad or another text editor.  Clever, huh?  Multipart/related is specified in IETF Proposed Standard RFC 2387.

I have materials for creating a complete working (and benign) demonstration of this particular twisty-little-maze of spoofs, but I wanted to quickly point out the simple counter-measure that Edit | Select All provides.  - Prof. H.A.S.v.Clueless, etc.
 
Post a Comment
Hard Hat Area

an nfoCentrale.net site

created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 04-11-25 22:45 $
$$Revision: 3 $

Home