A security problem caused by e-mail marketing services

E-mail marketing services such as MailChimp are useful, but people cannot know the difference between a link to a reputable website and a link to a website that installs malware.

"Most viruses, Trojan horses, and worms are activated when you open an attachment or click a link contained in an email message" (www.cisa.gov/news-events/news/virus-basics).

"Some phishing emails are very competently executed to the extent that they are impossible to tell apart from genuine emails just by inspection" (www.ncsc.gov.uk/blog-post/im-gonna-stop-you-little-phishie).

Many organizations use a marketing service to send e-mails. Usually, each link in the e-mail has one of these structures:

OrganizationName.MarketerURL
MarketerURL/OrganizationName

Examples:

http://www.mmsend3.com/spacer.cfm?tracking_id=3759072...
https://visitor.constantcontact.com/do?p=un&m=001D... 
http://r20.rs6.net/tn.jsp?f=001gRwP...
https://cornell.us13.list-manage.com/track/click?u=f779b9...
http://mailchi.mp/writethedocs/write-the-docs-newsletter-november-2017?e=ef5...
https://writethedocs.us6.list-manage.com/track/click?u=94377ea4...

Usually, the e-mails do not have a digital signature. Thus, if you receive an e-mail that seems to come from an organization that you trust, if the links are not to the organization's URL, you cannot be sure that the links are safe.

RSS feed