MacNN Forums (http://forums.macnn.com/)
-   Mac OS X (http://forums.macnn.com/mac-os-x/)
-   -   Specific MacOSX/Mail security question.... (http://forums.macnn.com/90/mac-os-x/498349/specific-macosx-mail-security-question/)

 
Hawkeye_a Feb 22, 2013 08:14 PM
Specific MacOSX/Mail security question....
I got a question regarding a bogus email I received. (I know it's bogus because I had used a different email to register for the service). So this is obviously someone else masquerading as the service....

There are links in the email. I didn't click on any of them, but i was hovering over one of them to check out what the link is. MacOSX Mail started loading the "preview" of the link for some reason in a 'comic bubble'. I immediately quit Mail.

Is there any hard that could have been done to my machine via Mail attempting to load the link in the email? I'm not sure what sort of things can be accessed or changed via webpage? If someone could shed some light on this sort of it, it would be much appreciated.

I already know to not install anything, or goto a link in suspicious emails and enter any login credentials,etc. But i was wondering if simply loading a webpage could do any harm?

Cheers
 
tightsocks Feb 22, 2013 08:33 PM
Quote, Originally Posted by Hawkeye_a (Post 4218913)
But i was wondering if simply loading a webpage could do any harm?
I'm sure others will say a definitive, 'No.'
But I would say that we just don't know.

It is certainly conceivable that a bug with a 0day exploit exists in the way that Mail displays website previews and that the page that was shown contains exploit code.
It it likely - probably not.
DId it actually happen that the previewed site had such exploit code - there is no way to know.
 
Hawkeye_a Feb 22, 2013 08:49 PM
For the sake of information, lets assume the worst.

What could be the result? Put another way, what could they do? How does one detect it?
 
tightsocks Feb 22, 2013 11:25 PM
Quote, Originally Posted by Hawkeye_a (Post 4218916)
For the sake of information, lets assume the worst.

What could be the result?
Arbitrary code execution - Wikipedia, the free encyclopedia

Quote
Put another way, what could they do?
Anything.

Quote
How does one detect it?
I guess you could run a virus scanner, although depending on if the resulting malware is known or not it may not be detected.
 
reader50 Feb 23, 2013 01:54 AM
Go into your Mail preferences and turn off preview loading. Under the Viewing pref tab, you can turn off Display of Remote Images. You're using a later version of Mail than I have, so I don't know where the option is to turn off link previews, but there will be one somewhere.

If there's an undiscovered bug in Mail, preview-loading could result in arbitrary code execution. This is unlikely, and you quit Mail immediately (the correct move if that were happening). So I'd rate this as very unlikely.

However - if the link contains a unique variable, then loading it confirms your email address with the spammers. And gives them your current IP address at time of previewing. This might give them an approximate physical location (nearest city).

If you turn off previewing in Mail prefs, then you can hover over the link again and check for variables after the main link address.

Assuming a unique variable is present, the most likely consequences: more spam. And possibly targeted based on your geographic location. If people are buying more cars or bedtime meds in your area, you may get more ads for those products. If escorts are popular in the nearest city, you may get offers and pictures of employees. Etc.
 
Hawkeye_a Feb 23, 2013 02:07 AM
Quote, Originally Posted by reader50 (Post 4218925)
Go into your Mail preferences and turn off preview loading. Under the Viewing pref tab, you can turn off Display of Remote Images. You're using a later version of Mail than I have, so I don't know where the option is to turn off link previews, but there will be one somewhere.

If there's an undiscovered bug in Mail, preview-loading could result in arbitrary code execution. This is unlikely, and you quit Mail immediately (the correct move if that were happening). So I'd rate this as very unlikely.

However - if the link contains a unique variable, then loading it confirms your email address with the spammers. And gives them your current IP address at time of previewing. This might give them an approximate physical location (nearest city).

If you turn off previewing in Mail prefs, then you can hover over the link again and check for variables after the main link address.

Assuming a unique variable is present, the most likely consequences: more spam. And possibly targeted based on your geographic location. If people are buying more cars or bedtime meds in your area, you may get more ads for those products. If escorts are popular in the nearest city, you may get offers and pictures of employees. Etc.
Thanks for your reply and detailed explanation, I really appreciate it. It did have a unique identifier in the querystring of the link (my email id), and i have received another email from them already.

Im looking for that preference in Mail right now. I didn't even know Mail had the ability to load previews of links, which is extremely frustrating and quite frankly an unwanted security risk.

Cheers for the info.
 
Waragainstsleep Feb 23, 2013 03:49 PM
You say this link was masquerading as a service you are signed up with already. Presumably a well-known service. Most likely explanation is that this was a phishing attack which don't generally make much use of running code locally or even of known bugs or exploits. The vast, vast majority of phishing attacks are more like social engineering. Their aim is to trick you into handing over your username and password to a well-known service of which you are already a member. In terms of gain for the phishers, the best sites to spoof are financial. Your bank or Paypal probably being top of their lists. After those they are really just relying on you using the same credentials for all the sites you use so they get one password from you and then they can try it financial sites where they can steal your bank details, empty your accounts or spend on your credit cards.

Its certainly possible that some kind of exploit or Malware can be triggered by loading a page inadvertently but if you have Mountain Lion, the default security setting won't install anything that doesn't come from a trusted (App Store) developer which rules out a lot of malware. There is also the fact that most malware is still built for Windows and won't work on your Mac anyway. We include the possibilities of your machine being added to a botnet, or infected with a keystroke logger for the sake of completeness, but the chances are very, very slim. If you're worried grab one of the free AV apps from the App Store and scan your system for peace of mind but I don't think you have a lot to worry about.
 
Waragainstsleep Feb 23, 2013 04:23 PM
Oddly I can't find out how to turn that preview feature on in my copy of Mail. You can turn remote html images off under the viewing preferences but I can't find anything about full page previews.
 
Hawkeye_a Feb 23, 2013 06:14 PM
It was a phishing attempt. I am running Lion. Being added to a botnet or having a key logger running is the sort of thing which worries me, especially the latter. Is it even possible to install that sort of thing covertly by visiting a webpage?

I've taken an extra precaution of attaching a change-event script to the LaunchDaemon and LaunchAgent folders on my system, and even locking the user LaunchAgent folder. Presumably (and maybe you can shed some light onto this), if there was some malware, it would have to be launched from a link in one of those folder(s) on startup/login. So unless those malware deamons are auto launched, it should be safer? (essentially preventing the 'client' malware from launching and communicating with the server?)
 
Hawkeye_a Feb 23, 2013 06:15 PM
Quote, Originally Posted by Waragainstsleep (Post 4218969)
Oddly I can't find out how to turn that preview feature on in my copy of Mail. You can turn remote html images off under the viewing preferences but I can't find anything about full page previews.
I couldn't find anything to turn off previews, so i turned off the html images thing and switched it to classic view, so no email opens unless i double click on it.
 
All times are GMT -4. The time now is 09:52 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2016, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2