21

In a large organization (e.g., a city staff), relying on human behavior to prevent phishing attacks isn't nearly effective enough. While it would be somewhat inconvenient (security usually is), I'm thinking of an approach whereby the email client would redact all URLs in a message. Not only make the URLs inactive, but eliminating them entirely. For example, something like this:

Click here to see our new report on property taxes:

[URL removed]

If there really is a new report, and if the city staffer really wants to see it, he or she can go to the website and track down the report. If the user goes to the website through a password manager or a bookmark, there's no way the bogus site will be reached instead of the real site. (A phishing attack involving a site that the user is unfamiliar with, and therefore has no login for, wouldn't be a phishing attack.)

While not all phishing attacks involve URLs in emails, my guess is that 99% of them probably do.

I'd appreciate some comments on whether you think this would be effective in reducing phishing attacks. I'm less interested in whether the absence of URLs presents an inconvenience, as I know it does.

(Forcing the email client to operate in text mode only removes the linkage; the URL is still there.)

David K
  • 1,317
  • 2
  • 8
  • 9
Marc Rochkind
  • 327
  • 2
  • 3
  • 32
    Removing all URLs impacts usability greatly and still doesn't prevent phishing entirely. The reason why relying on human behaviour instead of technology is considered best practice is because it has had the best results so far. My suggestion to you is to invest in good phishing training, rather than chasing a magical silver bullet. –  Aug 24 '19 at 21:38
  • 10
    I think there is much evidence that "phishing training" has been a huge failure. We need to continue to research technical solutions. – Marc Rochkind Aug 24 '19 at 22:29
  • 10
    Do you have any evidence for that claim that it was a "huge failure"? Because all the data I have is the "before/after" analysis and in some of the best cases, it's something like a 90%/20% result. –  Aug 25 '19 at 12:04
  • you might consider leaving the urls linking to a list of approved domains, such as the internal tools you use, the website of your organization – njzk2 Aug 25 '19 at 18:28
  • 1
    There is a Microsoft system that I've seen do this (Exchange or O365 or whatever). It replaces URLs with sanitized .outlook.com URLs. Very annoying. – Darren Aug 25 '19 at 20:03
  • 9
    Really bad idea because now I cannot reset any forgotten passwords. Just do what schools do, use a proxy. – RozzA Aug 25 '19 at 21:05
  • 5
    If you do not care about features or usability but only preventing phishing at any cost why not redact the entire email? Or just not give people email at all, that would be even more secure, at an additional inconvenience. – Vality Aug 26 '19 at 18:53
  • 2
    I use another website (which I shan't name) which forbids any text that even vaguely looks like a URL. Not only is it annoying, it's ineffective - most users can obfuscate URLs to dodge the filter. – michaelb958--GoFundMonica Aug 27 '19 at 00:43
  • 1
    There are use cases that would be greatly impacted: "The new report is not yet published, but you can see the hidden draft at [URL redacted]" or "I have made a Dropbox folder with the data: [redacted]" – Davidmh Aug 27 '19 at 12:07
  • @MechMK1 do you have a source for that 90%/20% figure? A 90% phish rate is absolutely insane, unless there's like 10 people in the company. 20% is still way above average. The industry average is about 10%. – trallgorm Aug 27 '19 at 13:56

4 Answers4

58

First of all, it would be a usability nightmare.

Second, it wouldn't even fix the problem it purports to. While it could be effective to phishing mails designed for 'normal' clients, attacks designed to suir such systems would probably be even more effective.

The users of such networks would be used to using all kind of alternative ways to refer to urls. Suppose I wanted to link to this question and ask you to upvote my answer, as you don't allow me to write https://security.stackexchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative I could say:

  • security.stackexchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative
  • https:/ /security.stack exchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative
  • Go to security SE question 215871
  • bitly 2ZoZiTS
  • Link sent to your personal mail
  • Please call to 555-0123 so I can give you the actual url
  • Search "Redacting URLs as an email-phishing preventative?" in Google
  • See last active question
  • hotel tango tango papa sierra colon double slash sierra echo charlie uniform romeo india tango yankee dot sierra tango alpha charlie kilo echo xray charlie hotel alpha november golf echo dot charlie oscar mike slash quebec uniform echo sierra tango india oscar november sierra slash two one five eight seven one slash romeo echo delta alpha charlie tango india november golf dash uniform romeo lima sierra dash alpha sierra dash alpha november dash echo mike alpha india lima dash papa hotel india sierra hotel india november golf dash papa romeo echo victor echo november tango alpha tango india victor echo
  • Url sent in an attachment

Note that some malicious mails already use urls in attachments as a way to [attempt to] bypass email filters. You might think "I will just strip urls from attachments, too", but that will cause havoc when the documents your users are redacted get silently corrupted by the email system. The formatting may possibly break everywhere, too. Not to mention that such endeavor might require you to be able to (properly) recognize and edit almost every existing file format.

Additionally, your legal department will probably bar you completely from modifying the invoices (received as email attachments), no matter how innocuous the edit.

Also things like recovery links for forgotten passwords would not work at all for your users, either.

But IMHO the main problem would be that the users would be "trained" to do all kind of weird workarounds, a "hidden url" that made them go through such hoops would not raise any suspicion at all.

(And as noted by Joseph Sible, your antispam filter would not be able to examine the obfuscated urls)

Some examples:

  • Make the user to search "StackExchangeBank blocked credit card" on Google. Then make a phishing page for the StackExchangeBank appear top by using uncommon words, or even buying ads.
  • If you call me so I give you the url that would be otherwise filtered, I can send you to a phishing page, adding some live social engineering to make you it more credible than just a plain email.
  • Send them through a url shortener. The user will have no idea where it is getting sent
  • The n-th question on the list would obviously change, so it would not guarantee the user to arrive to the "legitimate" question you asked, instead voting on a different question "impersonating" the one he was expected to reach.

A much saner approach would be that you changed the urls to go through a redirecting service of yours. Some email security filters already do that. This way they can check, when the user clicks the link if it is listed on a blacklist (where it might not have been when the email was received), and thus block the access. You might also have it show a Big Scary Warning that they are Not going to a safe website, the moment they try to reach a not-whitelisted site (only those they have credentials to, supposedly). And still, such approach would be somewhat flawed since the users will actually have credentials to more sites than those whitelisted at the proxy to not show the warning, and legitimate sites often decide to put out content of theirs on a new domain (which wouldn't appear on the whitelist, obviously). If there are too many false positives, users will end up paying little attention to them, as it would be 'normal' to receive them.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
Ángel
  • 18,188
  • 3
  • 26
  • 63
  • 5
    In the line of proxies, I would note that it is not uncommon for companies to proxy *all* web traffic, not only e-mail links. For example, my previous work-place would prevent accessing certain categories of websites: hacking, gambling, etc... Combined with a root certificate installed on all company-provided computers, they would be able to display a webpage mentioning why the website was blocked and the procedure to ask for either a complete lift of the block or for an exemption for a particular user or group of users. Doing so means that there is no need to change links in e-mails. – Matthieu M. Aug 25 '19 at 12:16
  • 1
    (1) you don't need any question text for SX; [scheme:]security.stackexchange.com/q/215871 is enough. Or security.stackexchange.com/q/215871/free-super-sexy-cat-videos! to reach/motivate a different audience. (2) and for _signed_ emails or attachments, after redaction users won't even be able to open them because of Big Scary Warning "this message/data apparently forged -- do not believe it or act on it" – dave_thompson_085 Aug 25 '19 at 15:36
  • @dave_thompson_085 Not sure why you are mentioning (1), I used it on the "Go to security SE question 215871" option. Sadly, I don't think many people _verifies_ signed emails or attachments (probably not even at xkcd 1181), and I am counting automatic verification by the applications. Errors due to broken files after getting redacted are probably more likely. – Ángel Aug 25 '19 at 16:54
  • all the examples you give are a usability nightmare. How many people actually know what to do with `bitly 2ZoZiTS`? And how many actually do it, as opposed to simply click a link? – njzk2 Aug 25 '19 at 18:29
  • 24
    hehe. The point is that the OP would be making the emails have no links, so his users would _get creative_. I actually find `bitly 2ZoZiTS` to be one of the more usable options I gave, and find likely it would get get adopted in such office. (PS: did you read the first line of my answer?) – Ángel Aug 25 '19 at 18:36
  • `attacks designed to suir such systems would probably be even more effective.` What makes you think so? – Joelty Aug 26 '19 at 13:01
  • @Ángel You can always exclude "internal" people from that protection due to obvs reasons. So you'd still have decent usability and missclick protection. – Joelty Aug 26 '19 at 13:03
  • 1
    Sorry @Joelty. It should have said "suit", not "suir". I was referring to a phishing that was designed for the people which are in that environment. By [Kerckhoffs's principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle), assume that an attacker knows perfectly how you are stripping the urls and what methods are employees using instead, as well as if he was an employee himself (note it would probably not be hard to get someone from this large organization to rant about what you were doing). – Ángel Aug 26 '19 at 22:40
  • 1
    @Joelty excluding emails originated inside the organization from this stripping would remove such annoyance from 80-90% of the mail volume. Still, there will be communications with clients, providers, etc. A phishing email does not try to pose as an internal mail, so while being a less drastic measure, I'm not convinced it would still be appropriate. – Ángel Aug 26 '19 at 22:45
  • I agree that it's not a good idea, but mostly for other reasons than those described in the answer. The answer clearly demonstrates that the usual phishing attacks were, indeed, thwarted, and now only spear phishing will work. The problems are that you shouldn't touch email content in transit. At all. If you do, you'll ruin the email system's credibility (often the only reasonable way to get something "in writing"), and your employees will hate you for making their life more difficult. – Bass Aug 27 '19 at 06:11
23

This isn't a good idea. First of all, "somewhat inconvenient" is a huge understatement. Also, AviD's rule of usability applies here: instead of URLs that computers understand, you'll have instructions on how to type in a URL, which will foil the ability of email scanners to detect that the URL goes to a phishing site.

  • 16
    Great answer. Type in `www (dot) evilattacker (dot) com / malware (dot) exe` to see my full comment. –  Aug 24 '19 at 21:40
  • 2
    @Joseph Sible: Don't agree. Any instructions on how to form a URL eventually need an actual URL to be entered into a browser's address bar, after being worked over by the user, where security software (the equivalent of the email scanner you mention) can operate. What I'm trying to avoid is mindless clicking. – Marc Rochkind Aug 24 '19 at 22:27
  • The bumper-sticker comment "Security at the expense of usability comes at the expense of security" just isn't true. For example, if I try to access a corporate system from a computer in a hotel business center (very usable), I won't be able to because the appropriate VPN software isn't installed. Similarly, when my financial advisor sends me a document, I can't just read it. I have to login to some website to read it. Or, an even simpler example: A laptop with no user password set, so all you have to do to use it is turn it on. – Marc Rochkind Aug 24 '19 at 22:37
  • 2
    @MarcRochkind The point of that quote isn't that security isn't important. Normal security is fine; it's only paranoid/overboard security that drives people to find "workarounds" for it (like removing URLs) that's bad. – Joseph Sible-Reinstate Monica Aug 24 '19 at 23:29
  • 1
    @MarcRochkind And in fact, a laptop with no password is more secure than one with an easily guessable password, as Windows will by default reject all non-local authentication attempts to an account with no password, but allow them to an account with an easily guessable password. – Joseph Sible-Reinstate Monica Aug 24 '19 at 23:30
  • @Joseph Sible: I was thinking of a simpler case, such as when one's spouse opens one's laptop and "accidentally" sees Stuff-That-Should-Not-Be-There. – Marc Rochkind Aug 24 '19 at 23:35
  • @MechMK1: The problem with text such as "www (dot) evilattacker (dot) com / malware (dot) ex" is that it interferes with spoofing. The phishing email needs to look clean. If the email says "You need to login to Amazon and change your password," that is perfectly OK and doesn't represent phishing, since the reader of the email is responsible for figuring out how to login to Amazon. (He or she does it the normal way, most likely with a bookmark.) At worst, his or her password gets changed unnecessarily. – Marc Rochkind Aug 24 '19 at 23:38
  • 11
    @MarcRochkind You don't see the big picture. Your scheme may prevent trash-level spam like "Hello this is microsft pls send cc info or ur Pc will be closed thank u", but any kind of targeted attack will still bounce off. In all likelihood, users will probably find some workaround on how to excange links, because that's what users are best at. But I feel like all the industry wisdom in the world can't convince you that your approach is flawed, so I might as well not bother. –  Aug 25 '19 at 12:10
  • 4
    @MarcRochkind Your comment about the laptop is interesting. On its face, it would seem like a laptop with a password is at least as secure as one without, since the worst the user can do is write the password on a sticky note stuck to the laptop. However, the user that does that probably also uses the same password for multiple sites, so that user would be better off without the password on their laptop (or, you know, with training and administrative controls about insecure password storage and reuse). – IllusiveBrian Aug 25 '19 at 22:37
  • @MechMK1 ? `Your scheme may prevent trash-level spam like "Hello this is microsft pls send cc info or ur Pc will be closed thank u", but any kind of targeted attack will still bounce off. ` Which probability is higher: being attacked in mass spam attack or targeted by X who knows how does your internal system actually work? – Joelty Aug 26 '19 at 12:59
  • 1
    @Joelty Pretty much any application designed to detect and mark phishing attempts in e-mails will be able to detect those. This is not really a good benchmark. It's like saying a car is great because it's faster than a turtle. –  Aug 26 '19 at 13:04
  • 1
    @MarcRochkind "Any instructions on how to form a URL eventually need an actual URL to be entered into a browser's address bar, after being worked over by the user, where security software [...] can operate" - How is this different than clicking on a link? If "security software" is only on manually entered URLs then it should be running on ALL URLs. If clicking a link is bypassing that, then I think you've got a bigger problem – Vlad274 Aug 26 '19 at 13:59
  • 1
    @Vlad274 The idea is that if the security software sees the suspicious URL in the email, it can use that knowledge to block the email as spam. If it doesn't see the URL until the user read the email and typed it in, now it's obviously too late to block the email as spam. – Joseph Sible-Reinstate Monica Aug 26 '19 at 14:55
  • 3
    @MarcRochkind Except... with your scheme, that user will *never be able to change their password*, since you'll be filtering out those reset links. Additionally, most or all solutions you'll come up with to filter out the URLs will fail to filter out a url which *looks* like a normal URL but has extra (non-displaying) html in the middle (which will show up to the user as a copy-paste-able url, but isn't a link because of the extra html shoved in there). – Delioth Aug 26 '19 at 20:09
7

In addition to humans being able to describe URLs in English to work around the filter, this would break all sorts of automated e-mail verification, account check, and password reset systems that rely on you being able to receive a URL sent by e-mail in order to verify ownership of the address. Some of these systems provide a code that can be copy-pasted into a form, but many provide only a URL.

Your users under this system would not be able to open new accounts at a variety of web sites, and might be locked out of their existing accounts as soon as the service provider demands e-mail verification for e.g. logging in on a new device.

interfect
  • 305
  • 1
  • 4
0

(Disclaimer: I work on one of the top email security solutions. This post is intended to be vendor-neutral.)

At least the leading two enterprise-grade email security gateways offer the ability to rewrite URLs through an extra layer of security run at the time a user clicks the link. This is a safer approach than completely redacting the link. These solutions incorporate extra security checks as well as reporting for remediation in the event that one of the clicked links ends up being malicious, allowing your infosec team to perform damage control.

You could implement a poor-man's version of this by setting up your own URL Shortening service, rewriting links from suspected phish (or everything, though that may annoy your users) and checking the mapping against URI DNSBLs either during the redirection or else periodically with a cron job.

As Ángel's answer states, rewrites only work for URIs your system can recognize. This will never be comprehensive, but hopefully it's a very close match to what your users' mail clients will render as clickable links.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48