Beware of unexpected links in e-mail messages

Hackers are stealing Yahoo accounts by sending messages containing malicious web page links.

The message looks like a link to a web page on MSNBC. But if an unsuspecting user clicks on it, it redirects to another page that steals the e-mail account, allowing the hacker to use the account to send spam, or grab the account’s contact list.

The gory details are here.

This is precisely why links in e-mail messages make me uncomfortable. Specifically, it’s Yahoo that has the problem right now, but the same technique can be used to exploit a problem in any other mail platform, too.

I only click on a link after hovering over it and examining the link in the lower left-hand side of my browser window. If the description and the link in the lower left don’t match, I don’t click. Period.

My workaround is to copy the link, paste it into Notepad, then paste the link into my browser window. It takes a few seconds, but that’s trivial compared to the amount of time it takes to get a compromised e-mail account back.

Having been accused of owning a hijacked e-mail account before, I know how reputation-damaging it is. It turned out a worm had found my e-mail address at a previous employer and was spoofing messages with that address–the address had ceased to exist years before the incident–but I still had to investigate, and then do damage control.

Trust me, copying and pasting links before clicking on them is a lot easier than that.

In a perfect world, e-mail software would be configured to not allow you to send e-mail containing an attachment or a hyperlink without digitally signing it to verify its authenticity, and to discard any incoming e-mail containing a hyperlink or an attachment that isn’t digitally signed. That’s not possible without universal two-factor authentication, so until we get universal two-factor authentication, we have to be very careful what we do.

2 thoughts on “Beware of unexpected links in e-mail messages”

  1. Whenever I get a message with a link, I ask myself if the message and the link sound like something that sender would say. If not, I delete it. A lot of these messages contain nothing but the link; I always delete those, and then write a separate email (not the Reply button) to the purported sender and ask if he/she has been hacked and did he/she send me a message like that.

    Can these malicious messages do harm simply because I “open” the email?
    Would one do harm by replying or forwarding such a message?

    1. To answer your question, no, merely opening such a message won’t do harm, though it’s possible to craft a malicious HTML message that can do harm, like a drive-by install, if you open them in certain mail clients (Outlook is the most frequent target). So I disable HTML mail in Outlook and turn the preview pane off to keep badware at bay.

      Replying or forwarding the message won’t harm you, but I’d break the link, in order to avoid someone else clicking on it and doing harm.

Comments are closed.