back to article Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

A new phishing campaign that uses a custom font to hide its tracks and evade detection has been uncovered. Security house Proofpoint reports this week that miscreants hoping to steal login credentials from customers of "a major retail bank" were able to hide their phishing emails from automatic detection tools by seemingly …

  1. Mark 85 Silver badge
    Holmes

    People stil falling for the fake email.

    As always, one way to avoid phishing attacks (along with running antivirus and spam filters) is to avoid following links from any unsolicited or suspicious emails that purport to be from your bank.

    I'm still surprised at how many folks have to open, read, and then click on the links in emails. Even hovering over a link and seeing where it goes is better than blindly clicking on it. I've got one acquaintance who opens and reads every email (including obvious spam) evens hits the links just because "it might be important". He hasn't learned even after multiple virus infections. I suppose many folks read every piece of mail in their snail mail also. What can they possibly be thinking?

    1. stuartnz

      Re: People stil falling for the fake email.

      "What can they possibly be thinking?" I would suggest your question could be improved by removing the first word. :)

      1. swm

        Re: People still falling for the fake email.

        The head of one of the major security vendors gave a talk at our college and said that his wife had been banned from her provider because she clicked on any "click me" or equivalent link and downloaded lots of bad stuff.

        In response to a direct question as to which antivirus tools he used he said he didn't use any - he was just careful!

        1. Anonymous Coward
          Anonymous Coward

          Re: People still falling for the fake email.

          I used to work for a sales weasel some years ago that refused to use anti-virus. His excuse was that the customers would let him know if he had a virus.......

        2. This post has been deleted by its author

    2. Richard 12 Silver badge

      Re: People stil falling for the fake email.

      These days all email links go to Mimecast or similar filtering services, in an attempt to stop the muppets.

      Sadly, that means we're training everyone not to check links before clicking. So anything the filtering service misses becomes a massive hole.

      On the bright side, it also means you can't forward the emails to anyone outside the company, which hopefully cuts down on chain emails...

    3. Anonymous Coward
      Anonymous Coward

      Re: People stil falling for the fake email.

      Some people grew up in environments where each mail was important, and ignoring one could have lead to big issues. They are unable to change mindset now that the landscape changed, failing to understand how dangerous it became.

      Years ago, my late grandfather opened my house door to a nice young woman who said she was from the "gas company" - and I don't have any service from any gas company. She was of course trying to sell gas sensors, at least she was not dangerous. But my grandfather was used to have visits from the gas company employee to read the meter (or called because of possible issues), so he opened without thinking twice - because it could have been "important".

      1. Doctor Syntax Silver badge

        Re: People stil falling for the fake email.

        my late grandfather opened my house door to a nice young woman who said she was from the "gas company"

        I occasionally get people presenting themselves at the door who think they can authenticate themselves by waving a phot-ID card from whoever they claim to be representing. It baffles them I fail to believe them and point out that I could produce the same with my camera, colour printer and a laminating kit bought from eBay.

        Hmmm. Idea. Get one of those laminating kits and make my own badge claiming to be from some suitably official- and threatening-sounding body to wave back at them. Yesss...the more I think about it the more I like it.

        1. Anonymous Coward
          Anonymous Coward

          Re: People stil falling for the fake email.

          Also bring a clip board and you will be invincible.

          1. BillG Silver badge
            Go

            Re: People stil falling for the fake email.

            @AC wrote: Also bring a clip board and you will be invincible.

            Used to be a clipboard and a frown would let you leisurely stroll past any security. I wonder, in the age of computers does that still work or will people stop you to ask "Hey, what's that"?

            1. IceC0ld Bronze badge

              Re: People stil falling for the fake email.

              @AC wrote: Also bring a clip board and you will be invincible.

              Used to be a clipboard and a frown would let you leisurely stroll past any security. I wonder, in the age of computers does that still work or will people stop you to ask "Hey, what's that"?

              ===

              the clipboard and THE frown were social engineering 101 back in the day, still works to this day, just that some organisations are getting their act together, mind you, the sheer number of web based connections available nowadays is making the use of social engineering less important now, even if it is still a potent force at times

              1. Anonymous Coward
                Anonymous Coward

                Re: People stil falling for the fake email.

                These days a high vis jacket, toolbox, a few cones and white van will get you in pretty much anywhere.

            2. caffeine addict Silver badge

              Re: People stil falling for the fake email.

              Replace a clipboard with a rugdedised tablet and you'd get the same thing...

          2. herman Silver badge

            Re: People stil falling for the fake email.

            With a stethoscope and white coat you can be truly invincible.

          3. Public Citizen
            Go

            Re: People stil falling for the fake email.

            In order to achieve true invincibility you need to add a White Hardhat.

        2. Waseem Alkurdi

          Re: People stil falling for the fake email.

          Tha prubblem iz dat you'd be arrested for impersonating a police/military officer.

          Heck, even the scammer may report you doing that as revenge.

          1. Tomato42 Silver badge

            Re: People stil falling for the fake email.

            Just say that you are from a TLA, for most folk it sounds scary enough.

            1. tim 13

              Re: People stil falling for the fake email.

              Say you are from THE TLA

        3. Stevie Silver badge

          Re: People stil falling for the fake email.

          Hmmm. Idea. Get one of those laminating kits ...

          Funnier idea. Ask person to hold up fake ID to door camera* (both sides please) and have automated routine print up a card with your own photo/name on it once picture and name zones are identified. Ask for a minute so you can get dressed (you were in the shower) and laminate up the result. Answer door wearing same ID bearing supervisor job title. Act puzzled, then angry.

          *properly isolated from the Internet of Tat of course.

          1. Waseem Alkurdi

            Re: People stil falling for the fake email.

            Great idea, but just try this:

            Take a photo of your personal ID card and print it.

            The result won't look like what can be obtained with a scan.

            An app like CamScanner could fix this, but all the colors would be messed up and the result is far from perfect

    4. c1ue

      Re: People stil falling for the fake email.

      There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.

      Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.

      1/4 don't click on anything - the paranoid/security types.

      The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.

      1. thecornflake

        Re: People stil falling for the fake email.

        Was there any suggested reasoning behind the 1/4 who insist on clicking everything? I always struggle to figure out why there are still people like that and presumably it comes down to some sort of human behaviour\psychology aspect (e.g. cognitive dissonance).

        1. Charles 9 Silver badge

          Re: People stil falling for the fake email.

          Probably negative reinforcement. One time they DIDN'T click something and got in big trouble.

    5. TRT Silver badge

      Re: People stil falling for the fake email.

      Microsoft Outlook's ability to effectively render obvious email links as nearly gibberish doesn't help users who are educated enough to try looking at the target URL.

    6. TheBully

      Re: People stil falling for the fake email.

      What annoys me is how legitimate companies are sending marketing emails that look like they have gone out of their way to make the email look suspicious. I keep getting one from Parcel force, click here to download your free whitepaper on growing your business. A quick google of the domain in the URL doesn’t bring up results that would confirm either way since they use a different potentially phishyish looking domain for the download. I have even had genuine invoices come in where the wording of the email is really vague and it screams phishing attempt. Also local councils now seem to be emailing businesses with these really vague non relevant requests for tenders requiring users to click here and log into so and so corporate sounding thing to bid for business and the users are like eh wots this is it a virus. Just assume every email is a virus or a scam unless you are expecting it.

      1. disgustedoftunbridgewells Silver badge

        Re: People stil falling for the fake email.

        I got a fantastic letter from Barclays the other day - their logo looked like it had been photocopied, badly, telling me about how my application for credit was successful, call 03XX to query.

        I was so sure it was a scam by that point that I was slightly impressed they had bothered to get hold of an 03 number.

        Then I remembered that I had taken out "partner credit" with Barclays when buying a sofa.

    7. Stevie Silver badge

      Re: People stil falling for the fake email.

      "I'm still surprised at how many folks have to open, read, and then click on the links in emails."

      *<idly ponders how many times El Reg credentials have been looted by spoof "REPLY" button code injection attack>*

    8. Michael Wojcik Silver badge

      Re: People stil falling for the fake email.

      Yes, people still fall for cons that other people find obvious.

      Blaming users for security errors has gotten us nowhere. There are many users, they vary widely, and we're not going to be able to train them all to resist all attacks. In fact, we're not going to be able to train any of them to resist all attacks. IT security experts get spearphished. Constant, perfect vigilance is impossible.

      We have to build safer systems. We can't build safer users.

      1. Charles 9 Silver badge

        Re: People stil falling for the fake email.

        But you MUST. Otherwise, you can't have safer systems, period, because the user is behind 9 out of 10 safety failures (and those include failsafe failures--think "click fatigue"). And like Douglas Adams once said, you can't make things foolproof; a better fool will always come along: often one over your head.

  2. tkachi

    vjj huqx!!

    1. Ken Shabby

      OK, stay calm, we can rescue you.

    2. Robert Carnegie Silver badge
      Joke

      Bjlljkks :-)

  3. Joe W
    Mushroom

    html in email...

    How I hate that! It has no place there, and the new "intelligent" email programs a also no longer know how to deal with replies inside a quoted mail.

    Ich kann net soviel fressen wie ich kotzen könnt! (cannot eat enough to vomit as much as this makes me sick)

    1. Martin an gof Silver badge

      Re: html in email...

      How I hate that! It has no place there

      Absolutely, but it's more and more common. I get a lot of legitimate emails these days where the plain text part is either completely blank, or says something like "you have been sent an email". I'm trying to retire my Acorn RiscPC as my main email-reading computer, but at the moment it's the only 100% safe way to deal with these things (shift-double-click on the HTML part to load into a text editor, if nothing nefarious, double-click to load into a "dumb" web browser). Kmail on the Linux boxes is great and is set to text-only by default, but you do sometimes have to "view as HTML" and hope. And the HTML often just says "click here to view the full message".

      HTML adds next to nothing to an email anyway, though I suppose it's one step better than sending .docs around - can't preview them on the Acorn at all.

      M.

      1. Version 1.0 Silver badge
        Unhappy

        Re: html in email...

        I just cleared our mail server quarantine queue - this involved releasing an email from a payment service for a large US based hospital:

        This is a secure message from Bank of America. Click here by 2019-01-19 02:36 GMT to read your message. After that, either open the attachment or request the sender to re-send the message.

        It's real, we get the regularly - it comes with "SecureMessageAtt.html" ... Arghhhhhhhh

        1. Arthur the cat Silver badge
          FAIL

          Re: html in email...

          This is a secure message from Bank of America.

          I used to be with BoA (briefly). Their "secure mail" wasn't mail and wasn't secure. They would send you an email with a JavaScript attachment that you were supposed to save and then run in your browser! (I wonder how many people did that without reading the script first.) This then took you to a BoA web site which displayed an image of a US style mail envelope (I'm in the UK), complete with franked US stamp, which you clicked on to read the message. While the message was displayed cut and paste were disabled, just in case you wanted to keep a copy. If you wanted to communicate with them, the only allowed methods were snail mail (to the US), or fax. Fortunately changes in US law meant they dumped all their non-US customers, so I ended up with a Swiss bank that is technically competent and actually cares about its customers

          1. Anonymous Coward
            Anonymous Coward

            Re: html in email...

            >Their "secure mail" wasn't mail and wasn't secure.

            It is stuff like that that explains why we have a financial crisis. The only thing I wonder was that it didn't come before 2008, but I am not surprised we are still dealing with the fall-out.

        2. MiguelC Silver badge

          Re: html in email...

          PayPal also does that, they send mails displaying a button like text saying 'Check your account movements now' with a link to your account where you have to input your password.

          As with this Apple site, who knows what the link really points to?

        3. ma1010 Silver badge

          Re: html in email...

          I've had a Bank of America account for many, many years. A while ago, I got a fake text message claiming to be from them. I ignored the link in the message and went to their web site, logged on and went to "Messages" which, no surprise, was empty.

          I've done some basic computer security training classes, and I always tell people to VERIFY any remotely suspect message by another route: either contact the sender by another route (not clicking on any links!) and verify the message or check for messages via a known good web site.

          My healthcare provider sends emails that say "you have a message." They do provide a link to click, but I always just go to the web site directly and check there for the messages.

      2. Arthur the cat Silver badge

        Re: html in email...

        I get a lot of legitimate emails these days where the plain text part is either completely blank, or says something like "you have been sent an email"

        I get a third type as well, where the text/plain part has exactly the same content as the text/html part (and usually awful layout so it's unreadable without horizontal scrolling).

      3. Flocke Kroes Silver badge

        Re: html in email...

        If there is an excellent reason not to simply delete .doc attachments, try antiword (.doc -> .txt converter) which is available for RISC OS. There are dedicated text browsers: lynx, links and w3m (none of them appear to have a RISC OS port).

        I have had a Mac user who could not modify a plain text email and send it back. Is this PEBKAC or are Macs really that bad?

    2. alain williams Silver badge

      Re: html in email...

      Agreed. I read email for the message, too many people want it to look pretty - marketing people I am looking at you.

      This makes me happy that I use the mutt email client: no fonts, no colours, no CSS.

      HTML just makes the email much, much bigger (ie size in KB).

      1. SImon Hobson Silver badge

        Re: html in email...

        Agreed. I read email for the message

        Me too !

        too many people want it to look pretty - marketing people I am looking at you.

        Except that often the result isn't that it looks pretty - it often makes it unintelligible.

        I'm slowly getting into reading some of my emails on my phone - with a small display. Plain text emails are fine, but formatted ones, even non-HTML get shrunk so the formatted version fits in the screen, resulting in impossible to read text. Even on a laptop screen, many emails are "hard to read" because they render in the stupid font/size and stupid colour the sender's email program defaults to - like the small blue text Microsloth seem to think is a good idea.

        And don't get me started on Microsloth's contribution to email usage by defaulting to top posted replies.

        And to think people at work kept telling me I was in the wrong for using plain text and bottom posting :-/

        1. aks

          Re: html in email...

          Apple style seems to be the worst but others are copying it. Tiny pale text. I simple do a Select All of the page which inverts it or makes it white text on a blue background.

    3. bombastic bob Silver badge
      Flame

      Re: html in email...

      HTML mail is *evil*. It should be killed to death by burning with fire (see icon).

      from article: "Viewing messages in plain-text will also reveal or neuter any shenanigans"

      We should ALWAYS! practice 'safe surfing' and 'safe e-mail reading'. It's like a front-line defense. This includes NEVER viewing/previewing mail as HTML whenever possible. And don't foist it upon the recipient, either.

      [having to use anti-virus/malware BECAUSE of HTML mail is, well, LAME - no real value added, obvious no-cost solution]

      1. Anonymous Coward
        Anonymous Coward

        Re: html in email...

        > [having to use anti-virus/malware BECAUSE of HTML mail is, well, LAME - no real value added, obvious no-cost solution]

        From bitter experience I must disagree. My work involves a lot of reporting and in some of the cases I need instructions within a time limit. This was rarely observed, until I started writing Instructions needed: (ISO standard date) in large, friendly letters that also happened to be in bright red.

        1. Pascal Monett Silver badge

          Re: From bitter experience I must disagree

          Absolutely that. I cannot count the times I have been forced to call someone and ask them if they had read my mail. "Of course I did !" is always the answer, to which I reply : "Then could you please send me the information I requested in the second paragraph ? I need it now."

          Cue several minutes of re-checking, mumbling, faffing about and, rarely, an "Oh sorry, I must have missed that." Yeah, you did.

          People who don't understand what they read are the bane of businesses all over the world. So I totally get your solution, even if I don't like it either.

          1. Terry 6 Silver badge
            Facepalm

            Re: From bitter experience I must disagree

            This is such a big issue ( at least I think it is). I'm just sick to the back teeth of people who respond to an email with something I didn't ask for/about. Often boilerplate generic responses to a very specific question or complaint.

            The classic is the BBC's. I emailed to complain that Wimbledon was simultaneously on BBC1 and BBC 2 for the whole afternoon.

            Their response said; "We're sorry you think there's too much sport on the BBC...".

            As it happens I like sport on the TV. I even like tennis sometimes. But not both channels all bloody afternoon.

            In another example that's just come back to me; I've emailed a company to point out that there was rubbish blocking a fire exit and had a reply "We're sorry that you found our premises were untidy..."

            No I found their premises were a death trap!"

            1. Anonymous Coward
              Anonymous Coward

              Re: From bitter experience I must disagree

              > No I found their premises were a death trap!"

              The only viable response then is to forward that email to their local fire brigade or similar authority, as documentation of lack of understanding of fire safety regulations.

              1. Terry 6 Silver badge

                Re: From bitter experience I must disagree

                Yeah, except these were examples of not reading the emails.

                1. Charles 9 Silver badge

                  Re: From bitter experience I must disagree

                  So call them by telephone and inform them the location in question has a fire hazard. If that doesn't get a prompt reply, go to the municipal council and complain of dereliction of duty. You'll either get a response or media attention as the news picks up on the story.

            2. Anonymous Coward
              Anonymous Coward

              Re: Answering the wrong question?

              OH, you've never asked about Linux or any other open source development then?

              I've seen it recently a little with 3D printers, but Games and OS is the worse. I don't doubt it's the same in closed source too! Just we don't get to see the arguments there. ;)

              "Oh, I just want to change a font in my Word Processor, for when I finally output to open format documents, which button in the GUI does this?..."

              "Have you compiled the Kernel with additional fonts?"

              "Have you compiled the Kernel to allow for access to the internet to download additional fonts?"

              "Have you compiled the Kernel to allow for font creation by back porting over from an Acorn and bouncing the download packets off the ISS on a full moon?"

              "No guys, he is wasting our time asking us to make a new icon in the GUI, when he should be using a terminal to TCP into the customers computer and sending them messages by switching power states via morse code.

            3. disgustedoftunbridgewells Silver badge

              Re: From bitter experience I must disagree

              The BBC complaint response was likely so they could categorise your complaint in a way that was less tangental to reality but more convenient to them.

              I once complained about the football scores being shown on the news directly before match of the day so if you recorded it, you stood a good chance of accidentally seeing the scores you'd managed to avoid all day, leading to having to start the programme but with your hand obscuring all of the screen and hoping you could tell whether MOTD had started from the colour of the corner.

              Their response: sod off.

            4. Robert Carnegie Silver badge

              Re: From bitter experience I must disagree

              Wimbledon: presumably different games (or, same game, different matches).

              If they pass coverage from BBC1 to BBC2 or back then it's liable to run in parallel on both until there's a pause.

              It's how tennis is - when it's on, there's a lot of it. Five-a-side or more would let more people play at one time and on one TV channel.

          2. Anonymous Coward
            Anonymous Coward

            Re: From bitter experience I must disagree

            "....call someone and ask them if they had read my mail"

            I used to filter email based on the credibility of the sender. Depending on who sent it my response was often "No I delete all emails from you. If it were important you would call."

    4. LDS Silver badge

      Re: html in email...

      Actually, there are people who need better text display than what you can achieve with plain text only - and not for fancy marketing emails only. It happened to me more than once to have to review important emails before sending them out, and being able to use advanced features is very handy.

      Probably HTML isn't the right solution, unless it's heavily sanitized - Javascript should be banned, and links checked and requiring specific affirmative actions to be followed, displaying clearly which address will be used - and signalling any issue.

      Anyway stupid marketing companies are the best allies of phishers - just a few days ago my sister got an email from a local Swarovski shop about upcoming sales that though legitimate, was a perfect example on how not to do a promotional email - and it triggered all the alarm bells it could. They used a marketing system, and i.e. links typed and shown where actually changed to point to tracking ones before being redirected, and so on.

      1. teknopaul Bronze badge

        Re: html in email...

        Email should use *markdown* or _commonmark_

        * No need for two copies

        * Viewer can be fancy if you like

        * Editor can be fancy if you like

        * It easy to see where links go

        * No option to hide content ordo sneaky embedding

        Or font tricks for that matter

        1. Waseem Alkurdi

          Re: html in email...

          Or <HTML>ThrRegisterHTML</HTML>.

        2. Anonymous Coward
          Anonymous Coward

          "Email should use *markdown* or _commonmark_"

          Fine if all parties know it - which in many environments doesn't happen. It was a workaround when displays were text only - I would like to move to the future in a sensible way, not to be tied to the past. People are used to specific typographical features, you have to deliver them.

          You can have both typographical features and security - the real issue here is not bold or color, it's unrestricted HTML and using engines designed for web browsers inside mail clients. Links redirecting outside security boundaries without any check are pure evil, more even so when they can be "obfuscated".

      2. Ken Hagan Gold badge

        Re: html in email...

        I think it would be straight-forward to write a HTML parser-cum-re-writer that did most of the sanitisation necessary. Both MIME and HTML are well-defined and text parsing as a technology is older than I am.

        In addition to JavaScript, I'd ban "links to external content, like images or iframes" and (especially given this article) custom fonts. If you can't write an email without those, I don't want to hear from you.

        I'd probably want to ban hyperlinks altogether. This forces authors to put the actual URL in plain sight, which makes all sorts of scams more obvious. It also forces readers to manually cut and paste it into a browser. If you can't do that, you need to learn a bit more about computers before you are safe to use one.

        1. Ken Moorhouse Silver badge

          Re: ...HTML are well-defined

          HTML is well-defined if it has been passed through validation. Unfortunately the baddies will target parsers that have slack acceptance of standards with specially crafted HTML. I used to be able to crash IE just be leaving a paired tag dangling.

          The authors of HTML parsers are in a quandary: do they enforce strict validation and reject incorrectly structured HTML, or do they pander to users who think a parser is crap if it can't render anything that is thrown at it?

          1. The First Dave

            Re: ...HTML are well-defined

            "MIME and HTML are well-defined"

            No mention of CSS - that shows how much YOU know!

        2. Charles 9 Silver badge

          Re: html in email...

          "This forces authors to put the actual URL in plain sight, which makes all sorts of scams more obvious."

          No, it'll force people to start making legitimate-looking-but-fraudulent URL shorteners.

      3. Anonymous Coward Silver badge
        Paris Hilton

        Re: html in email...

        I'm curious as to what 'better text display' you refer to?

        If people have bad eyesight and need the text bigger, or they're sensitive to certain colours so need the text in green, or that sort of thing... well plain text is better because their email client can be configured to display all emails that way rather than trying to parse what the sender wanted.

  4. Anonymous Coward
    Anonymous Coward

    So what's to stop a new e-mail filter from red-flagging messages with low accepted-language content (through spell-checking)?I mean, a few misspelled words here and there are one thing, but a coded message like that is almost certain to have near-0% accepted language content.

    1. Francis Boyle Silver badge

      Yes

      I suspect that like hijacking airliners with box cutters and flying them into buildings this is a security hole that can only be exploited once.

    2. Kanhef

      That was my initial thought as well. For a general-purpose email filter, it would have to check quite a few languages in order to not block every email written in, say, Italian or Thai. Also needs to be context-aware, so they can't avoid triggering the filter by just putting half of Moby Dick in an HTML comment.

      Might be simpler to have a check for embedded fonts. If found, render the message into an image, apply OCR, and run filters again on the result.

      1. Richard 12 Silver badge
        Holmes

        Better to just disable embedded fonts entirely.

        There is literally no legitimate reason to embed fonts in email - if my email reader doesn't already have access to locally-installed fonts that support the unicode code points in the email, then they're a form of communication that I can't read anyway.

        If I understand (eg) Korean, then I'll have installed a few Korean fonts. If I haven't got a font for those characters, it's almost certain that I don't understand them anyway!

        1. This post has been deleted by its author

    3. Omgwtfbbqtime Silver badge
      Headmaster

      a few misspelled words here and there are one thing

      Nope.

      I'm willing to not see any email with any spelling errors.

      In fact, I would accept the spam filter taking out the emails that fail a grammar check.

      1. Keef

        Re: a few misspelled words here and there are one thing

        'to not see'

        Isn't that a split infinitive?

        1. Anonymous Coward
          Anonymous Coward

          Re: a few misspelled words here and there are one thing

          Who knows? My grammar police browser plugin didn't render his post. Yours too and probably mine as well.

      2. Charles 9 Silver badge

        Re: a few misspelled words here and there are one thing

        "I'm willing to not see any email with any spelling errors."

        So you're not willing to accept any e-mail from an English speaker across the ocean because you use "ou" and they use "o" (or vice versa), which trips most spell checkers? Sounds like a business killer to me.

  5. J J Carter Silver badge
    Boffin

    Defence in depth

    Can't rely on users to use common sense so my shoppe uses Microsoft ATP Safelinks to rewrite URLs in emails so they are checked in real time when the luser clicks on them. If Safelinks doesn't catch it, all Internet traffic is passed via ZScaler cloud proxy with filtering of d/l content. If that fails Bitlocker on Windows should block unknown .exe from running, and users login with an unprivileged account of course.

    1. ds6 Bronze badge
      Devil

      Re: Defence in depth

      BitLocker is for disk encryption [with TPM], did you mean Smart Screen?

      Also, are you checking for other executable files, such as ClickOnce or JavaWS? At an old company I'd worked for, while they'd blocked native executables, they didn't have any CAS policies so I could run whatever .NET stuff I wanted and install/run things with it that way. Obviously I didn't end up staying long.

    2. Hstubbe

      Re: Defence in depth

      Oh yeah, zscaler. The mitm that intercepts all https connections and replaces the channel between browser and proxy with an insecure tls connection. Very secure, gotta love it.

    3. bombastic bob Silver badge
      Meh

      Re: Defence in depth

      the problem with 'safelinks' is that you can't just look at it to see if it's legit. it takes away the ability to easily see things like "mybank.nefarious.cn" in the URL [for one possible example]. View as plaintext shows these URL hijacking links as they REALLY are, not as the phisher intended.

      So I'd say 'smart links' are for people who aren't... [train them instead, or at LEAST pre-configure all e-mail readers for plain-text only, and make it a company policy]

      1. Charles 9 Silver badge

        Re: Defence in depth

        What if they hide the URL with a legitimate-looking redirector?

  6. steelpillow Silver badge
    Devil

    Now I understand

    why now and then an email appears as gibberish in my PLAIN TEXT email client.

    You mean, somebody out there still thinks HTML email is a good idea? Oh, good grief!

  7. Terry 6 Silver badge
    Facepalm

    Tesco F***ing marketing bank

    We still get genuine emails from Tesco Bank marketing, with "click here" links.

    Dickheads!

    1. Anonymous Coward
      Anonymous Coward

      Re: Tesco F***ing marketing bank

      Automatically forward them all to the Tesco Bank CEO.

      If enough people do it, that will teach the spam filters used by Tesco Bank that Tesco Bank marketing is spam, solving the problem for everyone.

      1. bombastic bob Silver badge
        Devil

        Re: Tesco F***ing marketing bank

        that kinda reminds me of a problem I had a few years ago sending spam complaints to an 'abuse@' email on a server in korea that had some customer joe-jobbing me (outgoing spam with my e-mail address in it). The 'abuse@' e-mail address had a spam filter on it, and if I attached the spam I was complaining about, it would bounce (yeah spam filter on an 'abuse@' address, really smart). I contacted some other admin upstream of that in Switzerland (as I recall) with a "hey these guys" kind of request to give them a good kick and within a few days it was shut down. That was really pathetic.

        1. Terry 6 Silver badge
          Flame

          Re: Tesco F***ing marketing bank

          Virginmedia STILL does this. The shit comes through to my spam filters and is sidelined to a spam folder.

          If I send it to VM's spam report address it gets bounced by VM because it contains spam. What the fuck else do they want us to forward to them, Christmas cards? Fucking incompetent bunch of goons.

          Why's there no blood pressure icon.

        2. Doctor Syntax Silver badge

          Re: Tesco F***ing marketing bank

          "he 'abuse@' e-mail address had a spam filter on it, and if I attached the spam I was complaining about, it would bounce"

          I can assure you it was far from unique.

    2. Anonymous Coward
      Anonymous Coward

      Re: Tesco F***ing marketing bank

      > We still get genuine emails from Tesco Bank marketing, with "click here" links.

      Contact them on their GDRP-mandated privacy contact email address and tell them this is a GDRP violation since it uses undue web tracking. Since this is from a bank it can be VERY costly.

      1. werdsmith Silver badge

        Re: Tesco F***ing marketing bank

        > We still get genuine emails from Tesco Bank marketing, with "click here" links.

        All the banks I deal with are doing it, Nationwide, Barclays, Santander, Lloyds, and others. Click here to go to a logon screen. It's idiotic and in the minds of many it legitimises the practice and leads to fraud.

        Why don't they get it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Why don't they get it?

          PAypal/Ebay make a fee/cut of every transaction. Even fraudulent ones. Even if they have to refund customers, they can mark that down as "cost of doing business" with a nice payment on top for their special hard work.

          So I don't think all the banks want to stop fraud, just keep it at a level where it's profitable for them...

          (No special knowledge here, just look up the news articles on banks allowing fraud on accounts if "well off/rich" customers, and passing a blind eye to it.)

  8. Chairman of the Bored Silver badge

    BOFH solution

    I worked for a Govt organization that sensibly locked down email clients to text-only mode. Outlook was deliberately crippled to prevent one from enabling anything but plain text.

    BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training.

    1. bombastic bob Silver badge
      Thumb Up

      Re: BOFH solution

      "sensibly locked down email clients to text-only mode"

      A BIG thumbs up for that! (double since it was a gummint organization)

    2. Doctor Syntax Silver badge

      Re: BOFH solution

      "Outlook was deliberately crippled"

      I thought this was normal.

      1. Tomato Krill

        Re: BOFH solution

        You may not like MS, but it's a fact there is nothing even remotely close to outlook / exchange in what it does and how it scales.from 1 user to 1m users

    3. Waseem Alkurdi

      Re: BOFH solution

      BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training.

      You may have said this as humor, but I'm seriously, seriously contemplating implementing this if I ever get to be in charge.

      This is the only (legal, humane*) way to coerce users into obedience,

      Is it only the H&S crew who get to violate human rights and the Geneva Convention with their presentations?

      * which is why The Cattleprod (or Da Stapler) are not used in real life.

    4. Pascal Monett Silver badge

      Re: BOFH solution

      I'm ready to bet that no manager was ever sent to that training.

    5. Ken Hagan Gold badge

      Re: BOFH solution

      "BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training."

      If you treat users like idiots, they will act like idiots. Crush their spirit and create unthinking compliance, and they will just stop thinking. The good ones will leave. The bad ones will be left to run your civil service and keep the nation ticking over. Is that what you want?

      Also, if you have the technical means to detect when people try to do bad stuff, is it not negligent of you not to simply prevent it? That one-hour punishment session sounds like a waste of taxpayers money just to satisfy some perverted BOFH-like urge. I sincerely hope that the government in question isn't mine, but based on how fscking stoopid they have been recently, I suspect I may be disappointed.

      1. Charles 9 Silver badge

        Re: BOFH solution

        Plus, what if the offender is over the BOFH's head? I don't think even the BOFH would be willing to cross an executive who can reply, "Who hired this bastard?"

  9. petef

    No custom font is needed if you write uʍop ǝpᴉsdn. However I think that even the most gullible phishee would spot that.

    1. molletts

      "I think that even the most gullible phishee would spot that."

      Hm, I fear you overestimate our species.

      ¡¡¡soopıɹɐןןop uoıןןıɯ uǝʌǝs ʎʇɟıɟ puɐ pǝɹpunɥ ǝǝɹɥʇ¡¡¡ ɟo sƃuıuuıʍ ʇodʞɔɐɾ pǝǝʇuɐɹɐnƃ ɹnoʎ ɯıɐןɔ oʇ pɹɐɔ ɥsɐɔ ɹnoʎ ɹoɟ ǝpoɔ uıd ǝɥʇ puɐ ǝpoɔ ʇɹos puɐ ɹǝqɯnu ʇunoɔɔɐ ʞuɐq ɹnoʎ 'ʇɹodssɐd ɹnoʎ ɟo uɐɔs ɐ ɥʇıʍ ןıɐɯǝ sıɥʇ oʇ ʎןdǝɹ ʇsnɾ ¡ʎɹǝʇʇoן ɐƃǝɯ uɐıןɐɹʇsnɐ ǝɥʇ uoʍ sɐɥ ssǝɹppɐ ןıɐɯǝ ɹnoʎ ¡suoıʇɐןnʇɐɹƃuoɔ

      1. Andy Non

        I'm sure upside down text is the norm for Australians anyway.

        1. AndrueC Silver badge
          Meh

          If you make something idiot proof, someone will just make a better idiot.

          1. Will Godfrey Silver badge
            Unhappy

            Never do anything that takes idiots out of the gene pool. That just strengthens the breed, making them more resistant to common sense.

        2. Waseem Alkurdi

          I'm sure upside down text is the norm for Australians anyway.

          No, their monitors are upside-down, being in the southern hemisphere, lower half of the globe, etc?

          1. Charles 9 Silver badge
            Joke

            Exactly, meaning you need to use upside-down text if you're corresponding with an Australian from the Northern Hemisphere where the monitors are upside-down relative to theirs.

        3. Tomato Krill

          And I'm sure that was the joke...

      2. Jamie Jones Silver badge
        Happy

        I wanted to upvote you, but no longer am able to tell which button is up, and which is down!

  10. fluffybunnyuk

    Rule number 1 has always been to view unsecured messages in a plain text viewer, with alternating hex,bin,text views.

  11. gypsythief
    Boffin

    fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

    If you can read this, you are our kind of boffin

    Well, thank you very much.

    1. Spanners Silver badge
      Happy

      Re: fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

      That is an excellent word at the end. "mjggfa" should be used more on El Reg!

      1. Joe Harrison Silver badge

        Re: fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

        I represent the Mjggfa™ Corporation Inc. GmbH Worldwide Ltd. PLC and do hereby require that you cease, desist, and refrain from misuse of our corporate name, livery, trade dress, and general other stuff.

  12. Antron Argaiv Silver badge
    WTF?

    new company

    My company just got acquired. The new company sends out scads of "feel good" employee communications, plus loads of IT system status messages, most of which dont concern me.

    They alxo, I discovered, have hired a company with the email domain of "phish-me.com" to send out periodic phishing test messages. I fell for the first one, something about security update that looked official on my newly created account, but have now filtered those out.

    THE SPAM IS COMING FROM INSIDE THE COMPANY!

    1. TechnicalBen Silver badge

      Re: new company

      Yeah, IIRC one of the "spam tests" was an obvious "set up to fail" in another Reg article. The spam was actually sent from an IT bods/Managers account (which of cause, if hacked would still be wrong to click!).

      But the false positives were not from everyone clicking it, but from everyone doing actual forensics and seeing if the Manager had been hacked or not. So they eventually got their black marks removed. XD

      Oh, though in your case, I don't know what to say. I'm torn, because clicking any fake link is worrisome, as said, even if internal!

  13. Steve Knox Silver badge
    Paris Hilton

    Or..

    Just disable web fonts by default in e-mail clients, as many already do with images.

  14. Anonymous Coward
    Anonymous Coward

    V erzrzore jura zl rznvy pyvrag unq EBG13 rapbqvat ohvyg va.

  15. jezza99

    Since the phish requires a custom font, that must mean that the email client will download and use a font from an unverified source.

    Seems like a pretty basic security hole. Which email client(s) suffer from this?

    1. Anonymous Coward
      Anonymous Coward

      Oh? What if it's already attached?

  16. -tim
    Unhappy

    Fonts are hacking vectors and are not safe.

    Most font rendering engines can be tricked into drawing something like an O about a billion times. Modern fonts are just a program that often runs with elevated privileges.

    Blind downloading fonts into a browser is a risk. There were a number of CVEs last year about the issue.

  17. Anonymous Coward
    Anonymous Coward

    Since time in memoriam

    Human sees a hollow log:

    "hmmmmm, I think I will put my hand/face/appendage inside that...."

    I has always been thus.

  18. Anonymous Coward
    Anonymous Coward

    Custom font download

    "this requires victims' email clients to be configured to download and render custom fonts"

    This is actually a thing? Mindboggling.

    1. Tom 38 Silver badge

      Re: Custom font download

      One word - designers. Its apparently the worst thing in the world to delegate typographic control to the user, in case it looks a mm out of place.

      1. Tom 7 Silver badge

        Re: Custom font download

        And yet I control my browser/mail reader* so they can justify themselves to death so they are wasting their time.

        *I used to work as the accessibility guy and I just love the look on designers faces when faced with reality.

  19. Zippy´s Sausage Factory

    Oh noes!

    Wait until the phisher pholk discover ROT-13...

    Seriously, though, allowing HTML in emails? We're all doomed...

  20. No 3

    "This creates a primitive substitution cipher fooling security tools looking for certain keywords, as the software would only observe a set of random letters"

    How 2010 of them. Does ANYTHING spam detecting software still work on primitive keyword lists like that?

    Most systems I've seen use statistics and analytics, they look at messages hitting more the one email box and adjust accordingly. Whether the word 'payme' or 'fgswa' is in the email doesn't matter.

    If these emails are regularly getting through the spam filter of your provider, I'd suggest changing providers, they're software is crap.

    Oh, and the letters aren't RANDOM, they will be exactly the same for exactly the same word. Article writer might want to look up what random means.

    1. Charles 9 Silver badge

      "Oh, and the letters aren't RANDOM, they will be exactly the same for exactly the same word. Article writer might want to look up what random means."

      Not necessarily. Think repeated glyphs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019