When checking email this morning, I discovered an attempt at phishing that was clever but I knew it was phishing because I have Outlook 2003 set to read my email in plain text only. This was the first phishing email I've seen this sophisticated in social engineering. This message made it look as if I had been outbid on eBay and asked me to log on. I'm assuming the purpose was to get my eBay and PayPal passwords. There were legitimate links to eBay, but buried within the HTML email code was an IP address. A quick whois on that IP address revealed the domain is based in Romania; imagine that.
Notice the screen capture to the right. This is how that message appeared to me. Notice the clues giving away this message as a phishing scam. First notice that when Outlook forces plain text out of this message, the link is different than the URL. If you don't know what I mean, then think of it this way. In HTML, links are words I can designate even though the actual URL (or Web address) must follow a specific format, which is http://www.somesite.com. For example, if I sent you an HTML email that gave you a link to this site, I could write it in two ways. The first way would be something that just gave you the actual URL as the link: http://wwww.mkanderson.com. The other way is to type some text and hide the actual URL: Click here to go to MK Anderson.
What Outlook 2003 does, when set to view mail in plain text, is keeps the link and the actual URL. A trick of phishers is to make the link look like an actual URL, but the reality is the link goes to a fake server. See how the link makes it look like it goes to eBay, but the actual target is 81.196.121.136, the Romanian server.
There are some things you can do to combat phishing. The first is if you ever receive ANY kind of account notification, never, never, never click the link in the email itself. Instead, open your browser and type the address for your bank, or eBay, or PayPal and log in to your account that way.
The next thing you can do only read email in plain text. I have friends who hate this suggestion. They want graphical signatures with their logos or smileys at the bottom of each email. They want bulleted lists and bold, colored text in the email. I would argue that those things are not important when compared to opening yourself up to identity theft.
Outlook 2003 is the first client from Microsoft to only show plain text. There are plug-ins for Outlook Express that do the same thing. In addition, you can use other mail clients like Eudora or Thunderbird. The point is that HTML email leaves you open to more phishing and spyware than plain text.
HTML email is one of things that falls under the category "Just because you can, doesn't mean you should."
Popularity: 4% [?]
Long Way From Home by The Heavy
Re: HTML Email is Evil
Not true, *****. Your snail mail can be read also by someone else but that's no reason to go back to using the typewriter. It's not at all hard to figure out these phishing schemes unless it's an elderly person and an elderly person won't pick up on what you just said anyway. What people should know is that your bank, paypal, ebay, etc will never send you an e-mail asking for your account # or passwords. HTML e-mail is by far better than plain text. It is easier to read and much more expressive. Which is, of course, *****, our business.
[Reply]