Phishing has a few basic conceptual problems which no one seems to want to address:
- You don't need to really be "fooled" by phishing. Not in the real sense. You just need to be tired one morning and click without looking. Even if you know how to check for phishing, you might need to click on content from 10s to 100s of emails per day. Scale this out to 1 year, and even the most educated among us can fail due to an honest mistake which we otherwise could have prevented.
- Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis. This behavioral pattern is why phishing works, and in reality, email should not be a vector for this path. Until companies and technologies stop assuming this makes sense, phishing will continue to be successful.
> - Part of the problem is just that a normal workflow is: receive email --> click on URL --> enter credentials into 3rd party website. ie, this is intentional and valid behavior for most white collar workers on a daily basis.
Here's a crazy history of that happening...
I had a friend who was an employee of a Fortune 100 corporation. Part of employee training was not to click on links in emails. In the 1990s and the rise of the internet, they had an internal security "red team" periodically send a fake phishing emails to employees. If the employee mistakenly clicked on a link in that email, the red team would send a notice to the employee's manager. It worked well because employees would not want to be embarrassed by a manager having to review the security policy with them to get their access back.
When she retired, all that training became useless and she was phished by a fake AT&T email. Why? Because with the rise of smartphones, every _legitimate_ company started sending emails that had useful tappable links. With the touchscreen, you can't hover your finger over the link to see what the underlying url is. People just normalize pressing on links in transactional emails as a convenient thing to do. E.g. Amazon sends an email with a link to the order status. A legit bank will send an email with a link for "Please review your security setting."
Smartphones reversed 15 years of not clicking on email links.
The first company I worked for as a developer was like this, except worse.
We got hit with some Christmas virus. One of the devs was talking about how he had mistakenly clicked on the link, but nothing happened. We were at lunch and suddenly were all looking at each other like, "Dave, this isn't good!" told him to call support because we had all seen the emails from security to not click on any links in emails because so many of these were making the rounds.
They took his laptop, reimaged it and gave back to him. The funny part was the Outlook team disabled any links in any emails he got from then on. Not sure how they did it, but if you wanted to send him a link, you had to send it to his personal email or over one of his social media accounts. Any time he got a link, if it was for business, he would have to call support, open a ticket and then an hour later, they would send him the link to open.
It drove the guys nuts. He asked repeatedly to have them enable the links, but they basically told him once you were on the list, it was for good. He quit after four months and said one of the most infuriating things was security never allowing him to get off of the "naughty" list.
Wait... why was no one just sending the link as plain text? So he could just copy paste? Or like news[dot]ycombinator[dot]com/item?id=45532515
I guess this also begs the question why email clients don't have an option to dereference links or convert them to plain text? Like
Click here for your HN comment
|
v
[Click here for your HN comment](https://news.ycombinator.com/item?id=45532515)
I mean at the end of the day links are a formatting thing, right? I know it doesn't solve url shorteners, but then url shorteners become suspect, at least until some internal person starts being dumb and suggesting them because urls are way too long[0].
[0] but this also mostly seems solvable if we are okay with redirects and temporary info being passed in the link. Redirects might be an issue, but at least getting redirected from an official site is better than getting redirected from some shortening service. Maybe a big part of the problem is how we've bundled in so much tracking info...[1]
Re: the receive email -> click URL -> enter credentials.
We need SSO to stop being gated behind enterprise tiers. SSO tax is real, and can help solve this problem. I've moaned about this before as the leader of an IT team for a medium-sized company reliant on a lot of SaaS.
Enterprise plans are too much (both in terms of cost and features) for us, but we are smart enough to have security requirements and one of those is SSO & SCIM. Very few SaaS offers that on anything but the most expensive "call for quote" tiers. That's a huge problem.
That whole email invite->click link->enter credentials workflow is gone with proper SCIM provisioning and SSO. It's the bare minimum a SaaS product should offer and should be on the lowest available tier.
The other problem are services like DocuSign, which offer free trials that are abused to send out fake documents. User gets a legitimate email from DocuSign's domain, clicks on it, opens up a real document in the real DocuSign site, but the doc has a link to the phishing site.
All DocuSign needs to do is require a CC for the trial or contacting sales for a trial, problem solved. But they don't, so as far as I'm concerned they are complicit in enabling phishing.
Unfortunately, SSO often gets half-assed as a compliance exercise, and now you have to enter your SSO username/password and your MFA token in random places a dozen times per day.
The fact that your employer might direct you to a URL that doesn't look like their normal domain (or through some kinda link shortener so you can't see it without clicking) for legitimate reasons basically undoes all security yeah. Why can't security teams focus on correcting those parts?
The normal workflow is so ingrained in our company culture, that I received an email from our IT team about not clicking on embedded links, and that email had a embedded link to "learn more". ;-)
I’m somewhat surprised that enterprise email solutions still allow links… like, at all, in general.
The servers should scan emails for links and not allow them. If a link somehow slips through, the client should not render it as something you can click on and follow.
On work machines where everything is managed by IT, there shouldn’t be any need to send links around anyway. If anyone thinks they need to send a link around as an ongoing process, then that’s the sign that the process still needs to be designed.
This sounds quite short sighted to me. You can’t imagine needing links being sent in everyday workflow at the office, yet I can’t imagine not using links in emails.
How would people interact with vendors and salespeople that send links to product specs, troubleshooting articles, etc?
If it is a vendor you are buying hardware from, they could send a part number, for example. The workflow should be go to their site, and search it up.
I don’t think it is short sited. Actually, I think if it has a flaw it is the opposite one. Workflows that involve mailing around links are convenient for quick little in-the-moment thrown together actions. It’s liberating. I’ve done it too, sure. But, in the long run everything should be integrated somehow or another and sending links should not be necessary. One might say it is ridiculous to expect every process to reach that end state. Possibly true, but it is a good goal…
In general, if a program is not a Web browser, I do not want that program getting clever with displaying a URL as an active link. Just show it as the URL, https prefix and all, so I can see where it will be taking me if I copy it into the browser. (This is one of my very few gripes with Google docs.)
I don't know how exactly IT at work did it, but all links in emails (except some internal links) get replaced with a link to an url 'checker', I guess to block if the link goes to a known phishing domain (I guess, I don't think any link got blocked that way). Issue is, the original link is part of the url and sometime got mangled and it's annoying when you just want to copy the link to paste it somewhere else.
Many corporations do have systems that click every link in inbound emails to check them, I assume against huge lists or heuristics of suspicious domains. Not to different from “endpoint security” solutions that check every link you click in a browser.
Exchange ought to have the capability of rewriting the links' hrefs to a "link gateway" where a sandboxed renderer presents the outside page, maybe running over rdp and purged after the end of every session.
The local Blink (or WebKit) renderer should be for internal or white listed sites only.
And then what? The end goal of phishing is either that the victim enters credentials or downloads a malicious file. Neither of which would be prevented by your scheme (even anti virus products are imperfect). Phishing with the goal of exploiting a zero day in the browser are exceedingly rare.
