PSB Infection Alerts include malicious content

NickJ
NickJ W/ Alumni Posts: 29 Security Scout

Hello,

 

When the PSB portal sends an infection alert email message to an administrator, it can include some malicious content.

 

I have seen a case where PSB Workstation has blocked an exploit kit (excellent), but the portal has then emailed the malicious URL to the PSB Admin in an infection alert, where it has been clicked again.

 

Sending malicious URLs in an email alert is clearly dangerous, and there are a couple of easy ways to remove/reduce the danger (I've seen both used by other security products):

1. Obfuscate the malicious URL so it cannot be easily/accidentally clicked (e.g http://malicious.com could be hxxp://malicious.com so it will not load in a browser until the admin manually modifies the URL)

2. Direct the alert recipient to the portal if they require further details

 

In the infection reports tab in the portal, the malicious URLs are not rendered as hyperlinks so an administrator has to consciously copy/paste the URL to visit the page.

 

In the email alert, the malicious URL is a hyperlink which is dangerous as inexperienced administrators may click these URLs either deliberately or accidentally.

 

If F-Secure agree that emailing malicous hyperlinks to customers is dangerous, could either of the above changes be implemented?

 

Thanks,

 

Nick

 

Comments

  • [Deleted User]
    [Deleted User] W/ Alumni Posts: 8 Junior Protector

    Hello NickJ,

     

    Thank you for bringing this to our intention. Our R&D has already confirmed this situation and we will fix this issue with high priority, and release as part of the next release.

     

    Conclusion on the issue: Some email readers change the URL to a clickable link, which has not been intended initially.

     

    We will create a known issue article about this which you can follow and to be informed when the issue is fixed. I´ll update this article with the link. 

     

     

  • NickJ
    NickJ W/ Alumni Posts: 29 Security Scout
    Hi Valterri,

    Thanks for the quick response, I'm really glad to hear that F-Secure will be able to do something about this so quickly.

    Nick
  • PetriKuikka
    PetriKuikka W/ Member Posts: 236 Threat Terminator

    Fix for this problem is deployed to emea2 portal already. Rest of the portals will receive it during next week.

     

    Petri

This discussion has been closed.