Laura > This morning I got a phishing email supposedly from amazon.com. > > I knew it was phishing, of course, because it had that famous > line "your account will close within 24 hours unless you > click on his link and verify your information". > > What scared me particularly on this phish was this - I > clicked on the link I would advise that if you know that a link is provided in malice, curiosity should be outweighed by caution. It doesn't matter what you think you know, if you're about to become the victim of a 0-day exploit. > (I often check to see where a phisher > wants to take me, and the url given was definately an > amazon.com address! (Many phishers will lead you to a When you say that it was definitely an Amazon.com address, 1) was the URI under the amazon.com domain, or s) did the URI have the string "amazon.com" in it (possibly at the beginning) somewhere. If: 1) There is a possibility (probably remote with an organisation like Amazon.com) that their website is vulnerable to a cross-site scripting vulnerability. Example: The the target website has an account login system. When a user logs out, they are redirected to the target website home page. A message is displayed which reads "Thank you for logging out". The message is passed via the query string, so the URI is constructed thus: http://example.example/default.asp?message=Thank+you+for+logging+out. An attacker can now insert script into html page that is sent to a user as an HTTP response if they can persuade the user to click on a link. Thus, a malicious URI might be constructed thus: http://example.example/default.asp?message=<script>document.location='ma l.example/default.asp'</script>. It seems pretty clear what is going on here, but if we convert the query string to hex, it looks like this: <http://example.example/default.asp?6D6573736167653D3C7363726970743E646F 63756D656E742E6C6F636174696F6E3D276D616C2E6578616D706C652F64656661756C74 2E617370273C2F7363726970743E>. This would appear to be far less suspicious, in my opinion. If the link is clicked on, the user is directed to the attacker's website. They can then be directed straight back to the target website without the user being any the wiser. Bearing in mind that attacker can pick up the cookie values from the target website on the way, and deliver them to himself via the querystring, this is not cool. 2) The protocol for logging into a website directly is (or used to be, at least) http://username:email@example.com/. If a non-existent username is specified, the anonymous web user account may be used. Thus, we could use the link http://amazon.com:firstname.lastname@example.org/. Both of the above "exploits" are well known, so most websites *should* not be susceptible to them. [..] > 4. I thought you would be safe from viruses and unautthorized > changes to your system if you don't click on any attachments. > How does an email transfer a virus or a command if you don't > click on an attachment? What are the new rules for keeping > your computer safe? Don't connect it to the interweb? Other than that, install a firewall and disable *everything*. Then, only enable what you need - and understand why you need it otherwise leave it disabled. Keep your virus definitions up to date. Don't let curiosity get the better of you - if you know that something is malicious, totally avoid it. Assuming you're on a Windows machine, buy a copy of Norton Ghost. Keep your data on a separate partition to your OS and applications, and take regular Ghost backups of your system partition. Then, if something Bad happens, you should be able to yank the plug, and restore your system partition from the Ghost image. Of course, your data partition could still be corrupted - but you can cross that bridge when you come to it. HTH Chris Marsh Web Developer http://www.globet.com/ Tel: +44 20 8246 4804 Ext 828 Fax: +44 20 8246 4808 Any opinions expressed in this email are those of the individual and not necessarily the Company. This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential and privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system.