I just got another spam attempting to get me to divulge financial data to someone other than my financial institution. My email client did not render the prettily-designed HTML of their missive, however. Rather it just displayed the source code that the phisher used to construct it. What's interesting is that it includes lines like this:
<link href="https://chaseonline.chase.com/echaseweb/common/css/style.css" rel="stylesheet" type="text/css"/>
and
<img border="0" src="https://chaseonline.chase.com/content/ecpweb/sso/image/chaseNew.gif">
No wonder people are fooled - the phishers are making it look like an email from the financial institution because they are using the exact same building blocks to make their email that the institution uses in their own.
Which got me wondering - cannot banks like these change the construction of their websites so that they are not comprised of publicly-available materials (like images and stylesheets)? I'm not exactly sure how this could be done, but then I wasn't really a backend programmer. Nevertheless, I do think this is likely a solveable problem, perhaps by having these materials reside in a publicly-inaccessible database and served dynamically from a session-specific URL. That way there would not be a static library of these building blocks for phishers to help themselves to when constructing their deceptive emails.
I mean, even *I* should not be able to do this:
But at least I'm not out to steal your money…