Posted by Minal Pithia on Wed, Mar 03, 2010
How do you feel when you lose or forget your iPhone or Blackberry? I asked my friend Sarah the same question a
nd her response was "I would be ‘techno-stressed' and sit in a corner and cry". Our phones have become an extension of our body - it's something we need to have on us all the time. Smartphone's are all the rage and highly in demand. With the availability of countless number of apps that make everything available at the click of a button; online shopping, micro-blogging, and making financial transactions are much easier. This brings us to look at the future of Smart phones and the vulnerabilities that come with it.
Did you know that Google ships out 60, 000 Android phones every day? Which means they send out 21.9 million every year. These phones are in high demand and critiques predict that the new trend for 2010 will be "Mobile Malware". We've already seen potential malicious mobile apps available via the Apple store and Android Market. Recently, Google removed about 50 apps from their Android Market which also targeted a few financial institutions. Here, at Brand Protect our Incident Response Team removed unauthorized apps from a website targeting our clients. 10, 0000's of new apps are submitted everyday to these popular app stores creating a hot spot for the hacking community, leading to more phishing, malware and identity theft. Mobile banking is also growing throughout the world. Recently Barcelona hosted the GSMA - Mobile World Congress 2010, where YellowPepper a leading provider of mobile financial services in Latin American announced the launch of YellowPepper Mony. "YellowPepper Mony enables financial institutions and corporate clients to deliver secure, convenient and easily accessible financial services to consumers, such as mobile money transfers, international remittances, mobile bill payments and pre-paid cell phone service". This signifies that mobile banking is going to spread fast throughout the world - fraudsters, phishers and malware authors are already putting on their "thinking caps" ; thinking of ways to turn banking services offered on mobile phones into cash for themselves. While mobile banking is still in its infancy in North America, we know that it will grow fast. CIBC is already one of the first banks in Canada to offer a mobile banking app for the iPhone. Although, Canada has a slower adoption rate for mobile banking; as more banks jump the bandwagon, the masses will follow.
This also brings us to look at the open source market available for application developers. For instance, Google and Apple are open to anyone and many critiques fear the deficiencies in the testing process which could bypass malware apps. Apple does require that all apps sold in the store are verified and signed by them which give them the power to withdraw the certificate so no one can install it anymore. However, with Apple there is also the risk of "jail breaking" which allows iPhone and iTouch users to run any code on their device without authorization from Apple. Once your iPhone or iTouch is "jailbroken", you can download apps from anywhere - this could lead to malicious content installed on to your phone that can steal all your personal information. Moreover, the vulnerability with the Google Android market is that it allows users to self-sign the code "with their own home generated certificates". As a result, this also poses security risks as the status is only checked upon installation, so once you install a bad app on your phone Google can't take it back.
As we all become dependent on our phones to check our email, make financial transactions, and shop online our "user behavior" also changes. Just like the internet, mobile phones have also become a "social device" which makes people more vulnerable to security risks. Do people pay the same attention when opening an email or downloading something on their computer VS their mobile phone?
Smartphone users beware - Make No Assumptions, ensure Physical Security - don't leave your phone lying around and be Mindful of Malware.
Posted by Dylan Sachs on Fri, Feb 19, 2010
Before the advent of high-resolution security cameras, dye packs and GPS trackers, criminals would simply walk into a branch, pull out their guns, take the money and escape on their steeds. The criminals have evolved. They would then walk right up to the teller, hand them a note, and walk out with a bag full of money, right past blue-haired grandmothers updating their bankbooks and blue-collared workers depositing their paychecks. Technology evolved. So did the criminals. Now, criminals are robbing banks in even easier ways.
Phishing sites, vishing or smishing phone numbers, card skimmers - these tactics all enable the criminals to acquire the precious details they 
need to defraud financial institutions and their customers of hard-earned dollars without ever leaving their homes. Simply acquiring this information isn't enough for the criminals to start planning their retirement in a non-extradition country - they need someone to actually get the money for them.
Criminals are (typically) quite adept at protecting themselves - whether it be having a safe house, a getaway car, or rigging their hard drives with thermite - to ensure that getting caught doesn't mean hard time. So what is an aspiring fraudster to do these days? Find a Money Mule.
Money mules are typically recruited online, lured unknowingly into the criminal world by the prospect of quick, easy money.
You see the recruiting posts everywhere. Job postings and spam with subject lines of "Work from home!" or "Make $1000/wk CASH!" can seem like a blessing to those desperate in today's harsh economic times.
Once the "employee" (mule) makes contact with the fraudster (who pretends to be a corporation), the mule is instructed to open a bank account exclusively for use by the "corporation." At this point, one of two things happens: either the "corporation" will send the "employee" a legitimate-looking check, or; the "employee" will forward the account details to the "employer", who transfers a modest sum of money - maybe a few thousand dollars - into the account. The fraudster then instructs the mule to withdraw 90-95% of the money. Once the cash is in-hand, the mule is sent to a Western Union office, where they transfer the money back to the "employer", keeping their 5-10% share as their "salary."
Unfortunately, the only real check this mule is going to get is a reality check. The check provided by the "corporation" is counterfeit, but this only comes to the attention of the mule sometime later on, well after the withdrawal and transfer is completed. Once the bank realizes the check is counterfeit, they reverse the deposit, which then brings the account into overdraft, leaving the mule with a fairly significant debt to the bank. When a direct transfer is made into the account by the fraudster, it comes from a compromised bank account. Once the transfer is reported to the originating bank as fraudulent by the account owner, they reverse the transaction, with the same results - the mule is left on the hook for the debt.
This means that the person without a job is now jobless and in debt, the person struggling to get out of debt is now deeper in it, the retiree's pension check just got much thinner. The bank is upset with the mule, the mule is upset with the "employer," and the "employer" is laughing all the way to the bank (for lack of a b 
etter term).
The mule now feels like an ass, having been taken advantage of and victimized as a result of their ignorance and/or greed. To make matters worse, when the "employee" opens an account for their "employer", they are instructed to provide the account details - along with all other common employment information like Social Security/Insurance Numbers, full name/address, etc. to the "corporation". This instantly makes the employee a victim of identity theft, as the fraudster collects this information for sale on the black market (or personal use) later on.
According to the Internet Crime Complaint Center (IC3), money mule handlers have tried to steal $100 million from small- and medium-sized businesses - who knows how much money the mules have lost as a result of these schemes.
Money mule handlers - I'm hesitant to use this term, but the "masterminds" behind these schemes - are good businesspeople. They are only interested in streamlining their business and maximizing their profits. Some are part of larger, real-world criminal organizations/gangs, some operate exclusively in the tubes of the Internet. Regardless, money remains the driving factor, and as banks get hip to the tactics of money mule operations, they begin implementing strategies to prevent their customers from suffering the same credit-score-reducing fate. The handlers pick up on this, and start blacklisting banks - essentially telling the mules where they should be opening accounts.
Throughout our travels around the ‘Net, BrandProtect comes across all kinds of scams and associated data. One juicy tidbit was a list sent around by a mule handler's handler - the person that directs the handlers how to run their "departments" efficiently, and makes executive decisions for the group. So, what's on this list? Well, Dearest Reader, I'm glad you asked. The list contains names of almost 50 U.S. banks that are known to have lax account security in place, idyllic environments for the growth of the criminal's business.
Straight from the file itself: "Ask your clients... to open a Checking account and provide the log in details, such as "User name, Password, the 3 Security Questions and Answers". They should go into the bank and get the account opened. It should NOT be done online. In a state that has more than one bank, please send all the banks to him so that he will choose the one that is convenient for him."
As you can see, this is not the work of a half-baked junkie looking to make a quick score - lots of time and effort has been invested in this, because the perpetrators know the rewards are great.
Are you on the list of banks known by criminals to have lax account security in place? Drop us a line, and we'll let you know.
Co-authored by: Michael Kiefer, BrandProtect
Posted by Adrian Sertl on Fri, Feb 12, 2010
A short while back I wrote a piece on "Anti-Counterfeit measures and the potential impact to user's web surfing rights". In it I briefly mentioned "a French law" that was created to combat online copyright infringement; it essentially gave ‘infringers' three strikes before their access to the internet would be revoked. The latest version of the bill added that a judicial review is required before any person's internet access can be shut off, which was present in the older versions of the law. This law is now effective in France as of January 1st, 2010, I could not find any cases in which it has been put into practice so far. Then again it has only been a month.
Now while this change is seemingly beneficial to web users, the law can still be viewed as somewhat harsh especially in cases where it is unclear who is actually doing the infringing. A potential infringer could be using an innocent party's unsecured wireless signal to download or seed pirated material or there could be a single party infringing on a machine with multiple users without anyone else knowing. With no criminal or civil trials involved in these instances, at least in France, the possibility exists that innocent parties could have their internet access shut off becau 
se of the actions of others.
Related to this is the issue of making a file available to be shared on a network; does it necessarily qualify as copyright infringement, and in the case of internet users in France could it cause you to lose access to the internet? The owner of the machine hosting the pirated material may be unaware that this is happening at all. Are they, or should they be held responsible?
The debate over this is still ongoing but international precedent seems to indicate that yes they are responsible; the two cases that come to my mind instantly are the Pirate Bay torrent website and of Jammie Thomas-Rassett, which I'll mainly focus on here. In Capitol v Thomas the defendant was sued for copyright infringement for downloading and sharing music. The defence attorneys tried to claim that "Ms. Thomas" computer was hacked", and that the defendant was perhaps the victim in all of this but the judge quickly dismissed it and eventually the defendant was found liable for the damages. Interestingly the case was re-tried in 2009 based on new interpretations of what "making available"should mean. While a similar verdict was reached, the fine was reduced from $1,920,000 USD originally to $25,000 USD. She is currently appealing this ruling.
Using the new HADOPI law and the ongoing Capitol v Thomas case as examples it is fairly obvious that the when it comes to file sharing the onus lies with web users to monitor their own online activities. If you are engaging in these acts you must be prepared to deal with the consequences if and when they arise. It will be very interesting to see how the landmark copyright infringement case in the United States finally concludes and what implications it will have for the future. As interesting will be the first applications of the HADOPI law in France. One thing is for sure, owners of Intellectual Property are making their voices heard, and lawmakers are listening loud and clear.
Oh and one very interesting side note on the HADOPI law. Apparently the font used in the logo by the HADOPI agency "was used without the prior consent of the trademark owner", who created the font for the sole use of France Telecom. If there is a more perfect definition of irony I haven't heard it yet.
Posted by Shanna Gordon on Tue, Feb 02, 2010
If someone was breaking into your house every night while you slept and was taking money from your piggy bank….wouldn’t you try to stop it? So why aren’t large corporations not doing more to stop perpetrators from continuously stealing revenue from their bottom line? Through traffic diversion schemes
selling of counterfeit goods, unauthorized associations, identity theft attacks and defamatory social media discussion, brands are being violated, reputations tarnished and significant revenues lost.
Traffic diversion schemes include domain cyber squatting (i.e.www.fasebook.com), and many various tactics to direct traffic away from your site (sometimes to competitors sites or even pornography).
Why spend thousands or even millions of dollars on a marketing budget just to have the benefits diluted and revenue stolen from you through various traffic diversion schemes. CMO’s need to start paying attention to this and start protecting their brands.
Wouldn’t you also want to know if someone was saying they were a partner of yours? Think it’s not important? Take for example a financial organization down south….we recently found a “hate group” site claiming on their website that they conduct all their banking at this organization. If one influential blogger/tweeter comes across this post, the banks reputation can be tarnished in days or even hours through social media. Which brings me to my next point…
Marketers also need to continuously monitor social media sites for potentially damaging situations. It only takes minutes for once again an influential blogger to say something slanderous, someone to make a negative video or a disgruntled employee to post confidential information and the word spreads like wild fire. Free tools can provide some minimal coverage but the time it takes to weed through the junk is prohibitive. Prioritizing what’s relevant and emotionally charged to mitigate negative impact on your brand is necessary.
I think some of the hesitation in the past for marketing departments not leveraging brand protection services is that they didn’t know what they would do with these “issues” once they were uncovered. They also strongly hesitated getting their legal departments involved in these situations, for obvious reasons (very expensive!)…..so why not just ignore it? That is where cease and desist capabilities can help manage these situations in a very cost effective way and help r
emove the vast majority of the threats uncovered. Not to toot our horn, but BrandProtect’s track record for getting infractions removed via cease and desist methods alone is approximately 70-80%.
So once again, I ask the question…..if someone was breaking into your piggy bank every night, wouldn’t you try to stop it?
Posted by Rosemary Brkopac on Thu, Jan 28, 2010
2010 will be an exciting year for me because as the new decade kicks off so does another volunteer term on the INTA bulletin committee. Thousands of INTA members spend countless hours volunteering their time and talents contributing to INTA, but I think working on the Bulletin must be one of the most rewarding and instantly gratifying ways to be involved in the Association. Close to 30,000 INTA members receive the Bulletin every two weeks, with each issue being much anticipated as receiving the publication was voted the most important benefit of INTA membership – even over the annual meeting!
Over the past two years my role on the committee has afforded me the privilege of reporting on cutting edge trademark conferences as well conducting Member Spotlight interviews with the most respected trademark attorneys in the world. If I had to pick one highlight of my last term it would be covering the Trademark Law and the Internet forum held last year in San Francisco. The conference featured one of the founders of the Internet, Google Evangelist Dr. Vint Cerf, as a keynote speaker. To be in the same room with him and hear him speak about topics such as Interplanetary Internet and the introduction of IPv6 was a truly phenomenal experience. I enjoyed writing the article and sharing information gleaned from the conference with clients and colleagues alike. When doing a Member Spotlight interview the one question I ask each person without fail is “What do you see as the most serious issue today concerning trademark infractions on the Internet?” The responses I get back vary from person to person, and I (and my clients here at BrandProtect) benefit from their responses. I always learn something new and often get a different perspective on the issues that are important to all of us in the brand protection field.
Though we are still in the early days of 2010, the members of the INTA Bulletin committee are hard at work preparing stories for upcoming issues. Please look out for my Member Spotlight focusing on Nancy Lutz appearing next month.Nancy is an IP attorney and a partner of Kelley Drye & Warren LLP, in Washington D.C. I’m currently working on articles focusing on J. Scott Evans, Senior Legal Director, Global Brand and Trademarks - Yahoo! Inc. (who is heavily involved with ICANN, advocating the protection of rights holders interests with the introduction of the new gTLDs) and Vincent Martell, Intellectual Property Manager at CKX (American Idol, Elvis Presley Enterprises, Muhammad Ali, the Beckhams). I always appreciate feedback, so after reading my articles please drop me a line and let me know your thoughts!
Posted by Jamila Hunte on Mon, Jan 18, 2010
We live in an age where there is a need to have information right at our finger tips. Not only do we need to have information that is easily accessible we also need to be mobile.
With the introduction of mobile devices like the iPhone, users are able to have the best of both worlds. Apps are all the rage. You can make your shopping list, check the weather, see your new friend request on Facebook, play your favourite video game and read your favourite book and these are just the tip of the iceberg.
Recently, a new app had found its way to Google’s Android market, an apps store maintained for its mobile services. This new application appeared to offer a feature that would allow the user to gain access to
their bank’s website through this shortcut. It is now believed that this app and 50 similar apps were harnessing malicious activity – activity that could lead to phishing attempts. A recent article in computerworld.com
provides more information on this app created by a developer only known as “09Droid”.
This android app was brought to my attention and was a concern for one of my clients. We were concerned that this app could have been downloaded by their customers who were innocently looking for an easy way to access their bank account.
Luckily we were able to make contact with one of the sites that were advertising the app and since then it has been removed. There was still a concern, however, that there could be other sites that provide this app. According to a recent article in willhall.ca
droid apps have been removed by Google.
We have been put at ease, at least for now…
There could be another android app lurking around out there, but the word is getting out and banks and credit unions are beginning to make their customers aware that what may appear to be a handy shortcut, could get them in a world of trouble. So buyer BEWARE!!!
Posted by Kevin Joy on Mon, Jan 04, 2010
“Lies, damned lies, and statistics”
For quite some time now, we have increasingly
encountered a question when talking to potential clients: “What is your average takedown time?” This is a completely logical question to ask
– cutting the lifetime of phishing sites is the whole point of employing a
takedown service such as ourselves - but the question is a dangerous one.
First and foremost, there is no average phishing attack. Each has different characteristics, sources
and impact, and therefore the notion of an average takedown time is very
misleading. Simple attacks can be taken
down in a matter of minutes, while some of the more sophisticated attacks,
particularly those hosted on a fast-flux bot net, can take several hours or
even days to resolve despite continuous efforts by the takedown provider. Since
there is no caveat that smaller organizations will be targeted less, and rarely
in a fast-flux attack, the average takedown time is almost completely
irrelevant.
Vendors also have different definitions of what
exactly constitutes an incident. Some of our competitors consider every
distinct URL an incident, whereas BrandProtect has special guidelines for
grouping similar URLs into one incident. This diversity amongst providers makes
calculation of the average takedown time inconsistent, despite the unfortunate cases
that some of our competitors are trying to lay claim to having the fastest
average takedown times.
Somewhat unsurprisingly, if BrandProtect were to
play that game, our data suggests that our takedown times would equate to being
significantly faster than those for our nearest competitor. But BrandProtect doesn’t play that game. We don’t claim to have the fastest takedowns
in the industry; we claim to be the best. Being the best is more than getting sites
disabled quickly (which we do quite well, thankyouverymuch!), but also
providing our customers with above-and-beyond service.
Success in
dealing with identity theft attacks cannot be measured by something as variable
as takedown time – success is a function of detection, takedown, and
communication effectiveness, all of which have a significant bearing on the
overall time in which a phishing attack can cause damage. Collaborating with clients and other partners to improve every aspect
of our offering – detection, analysis, customer education programs, our client
portal, reporting processes, etc. – is the only way to ensure the utmost client
confidence that our response to an attack will result in minimal damage.
Posted by Minal Pithia on Mon, Dec 21, 2009
Marshall McLuhan's 1962 prediction of the "global village" is manifested today in the form of the internet, a self-governing community without borders involving the integration of different cultures. Worldwide communication is instantaneous and the internet is becoming more global and accessible. Did you know that the first official domain name in non-Latin characters will appear in 2010? The Bulgarian government is one of the first to register internet domains in
Cyrillic. It will be interesting to see the impact this will have on the internet.
Recently, the Internet Corporation for Assigned Names and Numbers (ICANN) approved a fast-track process for implementing non-Latin domain names by early to mid 2010. As Latin characters dominated the internet, a switch to non-Latin characters will allow people from all over the world to register domains in Arabic, Mandarin, Japanese and Russian to name a few. With this new implementation it may become problematic in controlling spammers and phishers. Peter Wood, member of ISACA's Conference Committee and founder of First Base Technologies states, "While we understand the interest in expanding the 
characters offered in other languages, we are concerned that an increase in web site characters could lead to greater security risks and consumer fraud," As, most modern scripts have a similarity to Cyrillic scripts, many experts predict an increase in spoof URL's that confuse users into distinguishing a fraudulent site from an authentic one. For example, here is a list of characters in Cyrillic that look like Latin characters: y, k, e, x, b, a, p, o, c and g. Characters that look alike are known as homographs. The scope for homograph attacks widens, as IDN's allow for the use of full Unicode character set. One could see the implications of this as it's possible to create domains like "bank" using the lower case Cyrillic ‘a'.
There is a defense mechanism for this; Firefox has an add-on which "Puts a little flag in the status bar that tells you whether you are visiting a Traditional Domain Name (green TDN) or an International Domain Name (UN-blue IDN with translation to Punycode)". It is also important to educate yourself about various phishing attacks and to never click on suspicious links in an email. When in doubt, it would be good to get into the habit of typing URL's directly into browsers.
The borderless world of the internet provides many oppo
rtunities for companies to create a global online presence. The introduction of IDN's increases the potential for more online business, since it allows companies to effectively target larger audiences and widen their scope on the internet. Protecting brands and reputation online has never been more important than it is today, in the ever evolving world of the internet.
Posted by Michael Kiefer on Tue, Dec 15, 2009
Almost every state now has their own bill. Now the House and Senate have two bills which need to go to one. It is kind of like every state has their own gas fuel mixture requirements. It is costing taxpayers billions to have our government regulat
e, both at a state and federal level and business to comply to all these State and Federal bills, that are different. The new House bill looks like it only pertains to FTC regulated companies. Being in DC this week, I could not happen to notice the number of overhead cranes. Building out for the next 100,000 government workers to over regulate us!
____________________________________________________
US House Passes Data Accountability and Trust Act (DATA)
On December 8, 2009, the Data Accountability and Trust Act -- HR 2221(DATA) moved one step closer to law by passing the House of Representatives. DATA is sponsored by Congressman Bobby Rush (D-IL). The DATA in Congress has similar elements as Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, including not only breach notice obligations, but also information security policy requirements.
Both the Leahy and Rush bills also impose increased obligations on "information brokers," defined as follows in the Rush bill:
(6) INFORMATION BROKER- The term `information broker'--
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.
(the Leahy bill uses the term "data broker", but has a similar definition). Information brokers would be required to submit their security policies to the FTC in the event their breach notice obligations where triggered. Moreover, the DATA imposes obligations on information brokers concerning data accuracy, data access and disputed data. Information brokers would also be required to maintain audit logs or similar measures "which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker."
Posted by Dylan Sachs on Fri, Dec 04, 2009
It has been well known for some time - at least, amongst those in the industry and by those with coverage - that having a solid takedown service is essential to limiting the exposure you and your customers face as a result of phishing attacks. Studies have shown - consistently - that brands who have a well-defined takedown process (including a third-party takedown company) experience significant reductions in the lifetimes of phishing sites targeting their customer base.
Recently, there has been a spike in fast-flux, high-volume phishing activity. Previously, this was known as "Rock Phish" activity; however that can be considered version 1.0 - domains, hosted on a botnet, targeting multiple financial brands and their customers via phis
hing sites. Version 2.0 - known as Avalanche or ZBOT - is particularly troubling as they have evolved to include a malware payload, and broadened their target base by including social networking sites, government agencies, and even spoofing the email recipient's domain. While complete fraud-loss and malware infection rates are difficult to come by, Damballa research found that the Zeus Trojan - the malware payload included in the Avalanche attacks - has infected 3.6 million systems in the U.S. alone.
In addition to giving up their banking credentials, hundreds - possibly thousands - of users are unknowingly becoming infected daily with one of the most difficult-to-detect pieces of malware ever seen. Zeus makes up 44% of all finance-related malware, and provides the fraudsters with complete access to the infected host, allowing them to upload keylogging software, automatically steal login credentials, even route legitimate domains to phishing pages. Even those systems with up-to-date anti-virus software aren't immune from infection by Zeus - Trusteer found that up to 77% of infected systems had up-to-date AV definitions (and that across all AV software, there was only a 23% detection rate of Zeus). Earlier, I mentioned that the Avalanche attacks were targeting social networking sites - the same social networking sites that have been used as command-and-control centres for other pieces of malware.
The simplest solution is often the most effective, and when dealing with hosted malware and phishing sites, the simplest solution to prevent further infections or credential loss is to get the content removed. Anti-Phishing Working Group recently published their 1H2009 Global Phishing Survey, in which they have a section detailing the Avalanche phish. Their findings showed that Avalanche domains had an average lifetime of 18 hours, 45 
minutes from the time the email was sent out to the time the site became unavailable. In the grand scheme of things, this is a fairly short lifespan - the same report outlines the average lifetime of standard phishing sites as being 39 hours, 11 minutes. While this is promising, it still leaves 18 ¾ hours open to steal credentials and infect unwitting users.
BrandProtect first saw our clients being targeted in late June, with three more clients being added to the target list in the following months. In total, 506 domains were launched which had pages (either phishing, malware, or both) targeting our clients. BrandProtect's 24/7 Incident Response Team has a distinct advantage over other takedown providers in that they have team members spanning the globe, able to converse with the registrars of these domains in their native tongue, during their normal business hours. This advantage resulted in an average lifetime of the domains targeting our clients of 7 hours, 48 minutes - or a 60% reduction over the reported industry average. Needless to say, our clients are quite pleased with these results.
Now, if only there was a way to prevent people from clicking links in email messages...