Obscure email addresses on your website for added security
The common problem
Most website management platforms allow you to simply type in an email address and it gets displayed on your website – exactly where you wanted it. It'll either look like this:
or like this.
The first option is, quite simply, the easiest way of presenting your email address on a web page, but you're making the job for threat actors as easy as punch! The only way you could make it easier is if you have all your staff email addresses in a nicely formatted table. That way they can use any number of tools to harvest your information from your website, including a simple Google sheet.
The background to this is that your website actually shows email addresses by using source code as follows:
From the website visitor's point of view, you couldn't get a simpler way of presenting your desired email address.
The problem with solving... the problem
Websites are MEANT to be user-friendly and the most commonly used methods used for hiding email addresses end up making it harder for legitimate users and don't actually make it harder for threat actors to harvest your information. Such approaches might involve hiding the email address behind some incantation of an envelope (), or by making it difficult to read (e.g. hello <at> entity <dot> nz). None of these approaches actually make it difficult for threat actors to harvest email addresses because their tools analyse the source code of websites (see above).
So then, how do I solve the problem?
For any approach to be successful, it needs to do the following three things, well:
- Don't impact your legitimate website visitors. If it's difficult to read, your visitors won't contact you.
- Make it usable for the website administrator to make changes. If it's difficult to use, it's only a matter of time before everything goes back to what it was before.
- Make it difficult for a potential threat actor. You're only a visit away from a baddy, so make it difficult to automatically filter your data from your website.
You should also consider your Search Engine Optimisation (SEO). Website owners have been conditioned into believing that it's imperative to have their websites in the top 5 results of all the search engines from all four corners of the world. Here's the thing – if your website doesn't come up in a search result for someone not specifically looking for you, you're less of a target and you're doing a great job. That's not to say that you shouldn't appear in the top 5 results across all the search engines, but you only need to be there for the results that are relevant to your target audience.
Real options to mitigate the problem
Limit staff pages
If your information isn't there, it can't be harvested. Don't have staff pages and the only email addresses you're going to expose are the mandatory ones. Depending on your email address format, you could display information that doesn't link to your email addresses.
Using additional characters
Think of your favourite masquerade ball scene in a movie set in medieval times. Hide information in plain sight by using simple pieces of material and cheap adornments. Similarly, the internet is based on a language called HTML and there are some legacy throwbacks that were used early on when text-only pages were all there was. Any non-mainstream English character wasn't catered for, so developers needed a way to cater for additional characters. Some of these include:
- The at symbol (@) can be replaced with @
- The dot in domains can be replaced with .
Using the example from above, you can have zero impact on your legitimate visitors by entering email addresses as below:
Threat actors are looking for email addresses that look like email addresses. There are some tricks you can have up your sleeve like hidden tags. HTML has a comment tag that doesn't get displayed in a visitor's web browser under normal circumstances. You can simply copy the comment block and paste it randomly anywhere inside the ordinarily visible text and your legitimate visitors will be none the wiser like this:
The combined approach
Naturally, any and all the above can be combined at will. The more variation you employ, the more effective the overall solution will be.
Impractical options to solve the problem
Captcha | Recaptcha | noCaptcha | etc
There are a number of libraries you can deploy that prevent certain text from displaying unless it is displayed in a normal web browser... ordinarily. The idea here is that most threat actors would be using scripts to harvest your data and having items that only display in certain circumstances would prevent that from happening when "browsing" your site with a script. The thing is, there are a lot of tools out there designed to bypass these captcha-esque utilities.
If you wish to discuss this with us, please do feel free to contact us.