Our college is moving toward using the now-common practice of sending HTML-styled email as newsletters from Departments to keep alumni and others up-to-date on current events. I expressed resignation about this practice and was asked to clarify what I was objecting to. Here's what I wrote:
It's the idea of sending html formatted email. This has become a common practice and companies like MailChimp and ConstantContact encourage people to do this because you can collect metrics: they put web-bugs and create fake links in the email that you can use to estimate how many people opened the email or clicked on links, which is very persuasive to people looking for ways to measure the impact of communications. But a primary way people get compromised is by getting an email that *looks* like it came from your bank or retailer -- or college/university -- that has links that install malware or lead you to disclose your login information. These links are easier to detect if you're making a decision based on the URL, but email programs like Outlook or Mail.app (especially the versions on the iPhone and iPad) make it difficult or impossible to inspect URLs before clicking on them. And they load URLs (for graphics and stylesheets and web-bugs) that disclose information even if you just open the email.
When people ask me about security, I always tell people to set their email client not to look at html email and not to click on links unless they've looked carefully at the URL and made sure it's going where they think it is. So, for example, when I get an email with a link that claims it's going to "The College of Natural Sciences", but is actually:
http://www.alumniconnections.com/links/link.cgi?l=5605708&h=260505&e=UMS...
I don't click on that link. It's probably OK -- it is from the CNS newsletter in April. But if I click on it, I'll disclose information that perhaps I don't want to disclose. And I don't know anything about "alumniconnections.com". If I want to go to a page at CNS, I'll go to the CNS site and find it, thank you very much.
Sorry for the long answer. As I say, this has simply become an accepted practice in marketing -- and I expect they have the metrics to show it works. :-/ But from a security standpoint, it's a disaster. It gives malicious entities a style sheet for how to make an email that *looks* like it was sent from the institution. And it trains your end-users to click on insecure links in email. And so, although these techniques may work for you, they will also work for the bad guys too.
- Steven D. Brewer's blog
- Log in to post comments