Thanks Amazon and Google!

By
EKR
on December 11, 2006 8:41 PM | Outstanding!
If you're a phisher your basic strategy is to convince the victim that he's talking to some site he regularly does business with. Now, you can't control the user's experience when he's talking to the legit site so what you do instead is make the experience you provide as much like the legit site as possible, hence tools for mirroring the site you're impersonating. If you're a potential victim of impersonation, you want to get the user into the habit of not trusting indicia that the phishers can easily indicate. To that end, you might want to tell your users not to click on URLs they receive in e-mail claiming to be from you. Unless, that is, you're Amazon: 
From: Amazon.com Customer Service 
Date: 11 Dec 2006 11:42:28 -0800
Subject: Payment for Your Amazon.com Order (#ORDER-NUMBER-HERE)
To: ekr@rtfm.com
Cc: payment-update@amazon.com

Greetings from Amazon.com.

We're writing to let you know that we are having difficulty processing your
Visa (exp. YYYY/MM).

We will try charging your credit card again shortly. It is not necessary to
place a new order, but you may want to review the payment information for
your order and make sure it is correct and current.

To do this:

1. Go to our home page (www.amazon.com) then click "Your Account" on the
top right menu.

2. Choose the option "Change payment method" (found under "View by Order"
in the "Where's My Stuff" box).

3. After you sign in, you will see all your current open orders. You can
click the "View or change order" button beside any order and make changes.

4. Click "Change" button in the "Payment Information" box beside "Payment
Method." At this point, you may review your current payment method, choose
a different payment method, or enter a new one.

Thanks for shopping at Amazon.com.

Sincerely,
Amazon.com Customer Service
http://www.amazon.com/

Please note: This e-mail was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.

Now, this mail has been sent in plaintext (i.e., text/plain) so there aren't any links. (Though you could of course get caught by cutting and pasting out of the message.) Unfortunately, Gmail decided to help me out and turned everything that looks like a domain name or URL into a link. Now, as it happens I had screwed up something with my credit card and this isn't a phishing message and, but it just as easily could have been. For extra credit, if you put a link to a different location in your message, Gmail will display it exactly like the links it auto-formats. Outstanding!

Categories: