Interesting Phishing Twist

The other day I got a phishing mail purporting to be from E-Bay. That part in and of itself was not unusual. What was interesting was that the link used a different technique to disguise itself than what I have seen before. Instead of using a URL made up of an IP address or some nonsense, it bounced the link through Google. The link looked something like: http://www.google.com/url?q=http://blogs.technet.com/jesper_johansson. A user that is alert would see that the link goes to Google, and wonder about why it is not going to E-Bay, but since Google does not look that suspicious, that probably won't raise many concerns.

This may not be new. It could just be that I have not noticed as I do not usually pay attention to phishing very much. It also appears that while this one used Google to bounce the link off of, you can use ebayobjects.com, or MSN.com for the same purpose. Of course, you can also translate the URL using Tiny URL and others. This means that people need to be very vigilant about where they are going and only validate the site using the certificate it presents and the URL shown in the address bar once they got there; not the URL they clicked on to get there. All of us who work in security owe it to people we know to make sure they understand this. Sites that do not present certificates are almost certainly fake.

There are exceptions to this. Discover Card and many others persist in using an optimization technique whereby they do not actually show a certificate on the login page. Only the form action uses SSL, which means the password is encrypted as it goes across the wire. However, they yet to understand that encrypting credentials is only one of the objectives of SSL. Discover Card still does not grasp the objective to enable the end user to ascertain that they are actually sending their password to the right server. And they wonder why phishing is so lucrative against the credit card industry?