Fox Says Web Bugs = Virus Risk

Bonker writes: "Fox News is printing an expose on 'Web Bugs' used in concerto with HTML-mail spam. Along with outlining the dangers and the methods that Web bugs use to gather information, CERT's Jeff Havrilla is quoted as saying that these are pretty much ripe for illegally malicious activities, such as virus propagation. Harvilla says that Web Bugs would allow malicious virus creators to 'target' systems. Scary, wot?" *sigh* I can't even begin to describe how much the story irritates me - yes, there's truth to it. But it's more then just simple Web bugs - it's any sort of URL, given that you could create a unique URL for each spam. Take out the scare portion of the article, and just use the bottom line - don't click on spam URLs.

Re:URLS and advertising

[Coward,+Anonymous]

Advertisers brought us magazines, daily newspapers, radio theater

That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser. Magazine advertisers pay magazine publishers who give us magazines, television advertisers pay television companies who give us television, spammers pay nobody so we get nothing. Spam isn't going to bring us anything, because spammers don't pay anyone.

But email bugs ARE a serious risk

[fv]

While Hemos says "just use the bottom line - don't click on spam URLs", he misses the point. The insidious nature of these emailed "web bugs" is that they DON'T requre any clicking. Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers. Every time you open the message, the sender is notified and generally logs the time, location (IP) and email address of the person reading the email. They also frequently set an HTTP cookie so they can cross reference future browsing activity with your email address (which they know because they sent you the spam).

Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

Cheers,
Fyodor

Concerned about your network security? Try the Free Nmap Security Scanner.