Mikko HyppÃƒÂ¶nen, director of antivirus research at F-Secure, said it was "stupid" for security companies to send e-mails containing links that point to a different location to the one they purport to point to, which is a technique commonly used by phishers.
In the F-Secure Web log, HyppÃƒÂ¶nen criticised CA for sending an e-mail containing information about an "important update" with a link that seemed to connect to "supportconnect.ca.com" but actually went to a different address with additional information tagged to the URL. Just days earlier, HyppÃƒÂ¶nen had lashed out at RSA for using the same technique when inviting delegates to a security conference in Europe.
"How a security company sends out messages like this is beyond me. What's the point in trying to educate users about phishing scams and how they work if the same tricks are being used by the good guys," said HyppÃƒÂ¶nen.
James Turner, a security analyst at Frost & Sullivan Australia, said using masked links was "not the [most clever]" move and suggested that the problem could have arisen because of a "disconnect" between IT security and marketing.
"Phishing has certainly underscored that this is a risky area. I don't think this is the cleverest thing and it is a trickly situation -- this is one of those disconnects between marketing and IT," said Turner.
Neil Campbell, national security manager of IT services company Dimension Data, pointed out that modern antispam software often characterises e-mails with masked links as potential spam, which could mean the messages are filtered out before they reach their intended recipient.
"Once you start exhibiting characteristics of spam you are going to start falling foul of spam filters -- are these e-mails going to be put into junk e-mail folders," said Campbell, who said he would be unlikely to click on a masked link. "If I had an e-mail purporting to be from a company but the link went off to a company I had never heard of I would be unlikely to click on it".
Neither Computer Associates or RSA were available for comment.