phishing - html and redirect

[Donald]

Question for HTML experts.

If I see a link in a suspect email and I mouseover and see it goes to www.ibm.com/xxxxxxxxxxxxx

Can someone code a redirect in the xxxxxxxxxxx portion and make this go to a bogus website?

or if what is to the left of the "/" is legitimate then nothing can be coded to the right of the "/" and make it go to a bogus website.

At work we are given education that says to mouse over and see if the link looks legitimate.

 

[Ohle_Manezzini]

Im not expert in html, but this address doesn't look legit at all. Thats disguised url, or something. It could have a file or program with end (*.exe), embeded there. It doesn't want you to know what's in there.

 

[Donald]

Originally Posted By: Ohle_Manezzini
Im not expert in html, but this address doesn't look legit at all. Thats disguised url, or something. It could have a file or program with end (*.exe), embeded there. It doesn't want you to know what's in there.


The "xxxxxxxxxxxxxxxxxxxx" on the right side of the "/" is meant to indicate anything on the right side.

www.ibm.com is a valid website.

 

[DrRoughneck]

No.
Of all the financial benefit a hacker could garner from compromising ibm.com, outbound redirection of visitors is at the bottom of the list.

 

[raytseng]

the question is if your click actually goes to the address shown in the mouseover.

I would be concerned if what you think you were clicking goes to that address.
If you are paranoid, if you type in the address, and not click and not copy-paste, that would be safer

 

[Johnny2Bad]

Watch the dots.

Code:
www.ibm.login.com
is not the same as
Code:
www.ibm.com


(In the above example, it will go to login.com, not ibm)

I don't like the hover; I copy and paste the embedded url into a new text document. That way you will see the entire url, even if it's miles long, which is often the case if they are targeting you ...it allows a unique identifier, which they use for further attempts, to mark you as a responder which makes your email address valuable to re-sell, and so on. All bad things, basically unless you trust the sender completely.

Personally, I don't trust any url in any eMail message. If I use it, it will be totally benign (a link to a recipe from a cooking website, maybe). If I have any doubt whatsoever, I copy and paste the url so I can examine it. If that doesn't satisfy me one thousand percent, I type in the url directly in the browser for whomever it's purported to be from (bank, Paypal, etc).

If I determine the message is a phishing attempt, I forward it, with raw headers, to the relevant people (eg paypal, amazon, law enforcement, etc) so they can try to have the site shut down (doesn't always work, some hosts don't care about criminals but some do, so it's worth the effort which is minimal).

I always set my eMail app to display plain text only. You should too. There will always be a button to display the html version so you don't "lose" any functionality. What you do lose is they cannot exploit the web bug to give them a read receipt the second you view the message. That makes your eMail address more valuable for reselling and guarantees you will get an ever increasing mound of spam FOR THE REST OF YOUR LIFE. Sorry for yelling, but it needs to be shouted.

 

[Johnny2Bad]

About 10~30% of well trained staff will fall for a phishing attempt.

 

[Johnny2Bad]

Originally Posted By: DrRoughneck
No.
Of all the financial benefit a hacker could garner from compromising ibm.com, outbound redirection of visitors is at the bottom of the list.


With any site that requires a login (like ibm dotom for a support ticket) there is value in gaining your login credentials, as most people re-use them. So they can try them at paypal (for example) and in many cases, it works.

Any leak of your personal data, regardless of where it comes from, is possibly dangerous. Don't underestimate the value of a redirect from ibm (or some other seemingly innocent site) to a crook's phishing domain.

And anytime you click on an eMail you are marking yourself (or that eMail address) as someone who read that message, which probably means you are someone who reads messages in general. That makes your eMail address valuable to re-sell. It's going to be part of a list of tens or hundreds of thousands of others but the point is more is coming your way because no-one is going to pay money for a list they don't use. And that's the most benign consequence; it can be worse.

There is no such thing as a benign spam or phishing message. Period. Your only defence is to not open it at all (which can be hard, some eMail applications will open messages if you only mark it for deletion, for example) or only open it in plan text, which does not reveal you read it and has fewer misleading elements, although note I did not say "no misleading elements".