| | | Effective PR

Phishing, drive-by downloads and more: the simplest solution

Nigel Morris-Co...

It's not rocket science. Ever since (I think) 1998 when the BBC's lawyers blocked an explanation I gave to BBC TV on how the nature of HTML facilitates on-line fraud (the feared that it would increase the number of criminals using it) criminals have, indeed, used certain features of HTML to hide what they are up to and ordinary people have lost many millions of dollars and have suffered innumerable attacks on their computers simply because of one, very simple, trick, writes Nigel Morris-Cotterill

It amazes me that no few people have any idea what goes on under the covers of that pretty e-mail or webpage you see.

The item that the BBC's lawyers blocked was when a current affairs team recorded me creating a fake web page for a UK bank using a simple technique known as "in-line images."

In line images are at the heart of so much that is regarded as credible.


That's the image from the USA's White House website, the official website of the US President.

It took me less than 30 seconds to locate the image on the web, copy its location and insert into this page the code that now means that every time someone loads this page, the White House logo appears on their screen. (And before the White House moans that I've used it, it's fair use under the USA's own statute). That image is not linked to anywhere.

But what if, as has happened to many banks, for example, the logo appeared but was linked to a website containing illegal content. Or malware. Or an invitation to enter your account details including username and password. It happens, as the frequent announcements from regulators around the world shows. Indeed, it even happens that regulators' identities are replicated as part of a fraud.

HTML facilitates that by the use of the a href tag. It looks like this:

When the page is displayed in a browser, what you see is the logo, just like that for The White House. This code turns that static logo into a link. When you click on that link, you are taken to whatever address has been entered in the "target website" part of that code. It follows, then, that it would be the work of moments for me to insert the logo of The White House and an address for, say, an offensive website as the target.

When so-called "Rich Text" email was introduced, the effect was to turn the preview window in e-mail clients (that's the e-mail program on your PC, etc) into a web browser. The vast majority of e-mail clients were modified, not only to allow acceptance of HTML mail but to do it by default.

That allowed criminals to insert the same code into an e-mail as they could in a webpage and that allowed them to produce apparently legitimate mail containing the logos of banks, etc. It also, equally dangerously, allowed them to insert text that looks like a link to one site but in fact takes you to another.

This would display, on screen in a webpage or in html mail the address of my personal website but clicking on it would bring you to Please Be Informed.

Browser and e-mail developers have tried to address the problem by putting a "status bar" message that shows the actual address when a user hovers over it. That makes two broadly false assumptions: first that users bother to look at the status bar at all and secondly that even those that do are likely to look at it before the moment they click the link because their brain is already conditioned to believe it.

There are simple things that can be done: the first is that all e-mail clients should be set to accept text only. There are thousands of posts across the internet telling you how to include HTML in e-mails to the best effect. I've not been able to find one that explains, in simple terms, how to strip out html from mail at server level: that is always left to the mail client, even if the mail client is a web-based interface to the mail server. There is a brutal solution: the mail server rules can be set to return to sender all mail containing the text strings that convert plain text to html or to reject mail containing certain html tags (e.g. the img or a href tags).

In recent months, after a reduction in html mail, we have seen a dramatic increase in companies sending out important information in html only or in mails containing a link to a webpage. Some companies, when requested to send mail in plain text, say that they have no capability to do so. That's a lie but let's leave that dishonesty on one side for now.

The reason they send out mail in HTML is the same as the reason criminals do it: people buy pretty.

The information is the same, regardless of the format. But marketing people take the view that pretty sells and so pretty it is, including in e-mails.

Yes, an e-mail that is genuinely from a company is unlikely to be a threat but that's not the point. The point is that there are so many threats, ranging from viruses to credit card fraud and everything else in between, that it is irresponsible to force people to allow HTML mail to be viewed when all sensible security measures say to block it.

Let's put it at its simplest: what if that link took you to a website with depraved images of child pornography? Of course, you would immediately click out of it. But your computer has reacted faster than you and it has downloaded images that you didn't even see. If there was an investigation of your computer, those images would be there, stored, waiting to end your career and send you to jail.

The industry has failed to act on these warnings and it's time for governments to take action to require that all mail must be sent in plain text unless the recipient expressly (and independently of all other consents) agrees to accept HTML mail. E-mail client providers must be required to distribute their products with plain text readers only and for HTML readers to be available only as an add on which can be authorised only by the computer's administrator.

Nigel Morris-Cotterill is author of "Cleaning up the 'Net - An Action Plan to combat the use and abuse of the internet for financial crime." See https://www.antimoneylaunderin... (yes, that is the real link)

---------------- Advertising ----------------

World NomadsTravel Insurance | | Singapore Airlines