October 10, 2011 09:25 by
DaveBI was looking at two fake e-mails today -- one from someone proporting to be Trion (Rift) who spelled World with two V's, and another pretending to be Blizzard. While the e-mail was caught, I saw a heuristic that is so simple -- that I can't believe it's not already implemented.
So there's this link, right? And it's an anchor element in the HTML version of the message. Now here's the check:
Does whatever is inside the anchor look like a URL?
See what they're doing is putting the real URL as the text in the anchor (http://battlebazaar.net), but then putting a different URL (http://battlebazaar.net.x=some-other-site.someother-tld.fake/string-o-garbage) in the HREF of the URL. This makes it so the URL that it shows in the e-mail is the real one, and when you click, that's what's displayed in the leftmost. Now, I've previously stated the web browsers should provide a separate box for the host, domain and path -- because doing so would greatly help with the phishing problem (because most people don't understand how the hostname or path work -- those are just magic values -- and so split them off so that the part they *do* generally understand is visible).
But what I'm going to say is this. There should never be a time, ever, where there's a URL pattern as text in a link and clicking that URL takes you anywhere other than what the text says. And so any message that ever has that pattern (an anchor element where the text is a URL pattern, http://whatever, www.whatever, etc.) and where the href doesn't match, should be deleted automatically. That simple step would go a long way (and splitting the address bar into three pieces -- host, domain and path as three separate bars -- would help even more).
f2fc0817-ba12-4f73-8922-74060f6a8231|0|.0