No-Click Phishing On The Way
An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data.
Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."
are people that are, for example, at work, and can't turn off Windows Scripting Host and certain ActiveX controls? Not open emails? Surely there should be a solution to this.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
I ssh into my ISP and use pine to read email. Been doing it this way for over 10 years. Some people find this a bit quaint, but I don't have to worry about any worm/virus/phishing issues.
This is what happenes when applications try to do more than what they are supposed to do. An email client is just supposed to read and send messages. All "dynamicness" and interactivity must be left to the appropriate programs. And this is exactly where *NIXes excell. You can't do a scripting exploit in 'mail' - Why? Because you can't do scripting. Let the current do-eveything software industry led by Microsft be a lesson to all programmers. Let's keep our programs simple. Let's continue the UNIX philosophy of one program for one task.
Very true. Just recently I discovered that a business partner (telecom industry) has begun rejecting HTML email. I wonder if that policy will survive?
UNIX/Linux Consulting