There have been recent reports about fake Amazon.com order confirmations. Those who use Amazon are used to receiving email confirmation, so if a user hasn’t ordered anything, the user would probably be concerned that a fraudulent charge had been made to the account and would logically click the link that purports to provide order information details to find out what’s going on. However, clicking that link takes you to a site with obfuscated JavaScript and malware.
http://isc.sans.org/diary.html?storyid=8344&rss
This seems to be part of a general increase in fraudulent email messages of this type in recent weeks. I have received messages purporting to be Facebook friend requests from people whose names I don’t know, but when I go to my Facebook page (since I’m not going to click the link in the message), I find that there is no friend request there for that person. I have also been receiving fake Twitter invitations. The latter scam is not a new one; it’s been around for at least several months, but I’m seeing it again in my Inbox. You can read about it here:
http://www.symantec.com/connect/blogs/mass-mailing-worm-fake-twitter-account-invite
User education is one key to preventing damage from these types of scams. Since many employees use their work computers and company email addresses for occasional non-company correspondence, the company network can be at risk if users click these links. What about technological enforcement? Is it feasible to block/disable all links in email messages? Or is that too much of a “nuclear option?” Some people I’ve talked to say that the ability to click links in messages has become a vital feature of email and removing that would cripple the functionality of email. I’m interested in what readers think about this and invite you to write to me at [email protected] about it.