Real. Or. Phish?

After Epsilon lost a bunch of customer lists last week, I’ve been keeping an eye open to see if any of the vendors I work with had any of my email addresses stolen – not least because it’ll be interesting to see where this data ends up.
Yesterday I got mail from Marriott, telling me that “unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.”. Great! Lets start looking for spam to my Marriott tagged address, or for phishing targeted at Marriott customers.
I hit what looks like paydirt this morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email address.
It’s time to play Real. Or. Phish?
1. Branding and spelling is all good. It’s using decent stock photos, and what looks like a real Marriott logo.
All very easy to fake, but if it’s a phish it’s pretty well done. Then again, phishes often steal real content and just change out the links.
Conclusion? Real. Maybe.
2. The mail wasn’t sent from marriott.com, or any domain related to it. Instead, it came from “Marriott@marriott-email.com”.
This is classic phish behaviour – using a lookalike domain such as “paypal-billing.com” or “aolsecurity.com” so as to look as though you’re associated with a company, yet to be able to use a domain name you have full control of, so as to be able to host websites, receive email, sign with DKIM, all that sort of thing.
Conclusion? Phish.
3. SPF pass
Given that the mail was sent “from” marriott-email.com, and not from marriott.com, this is pretty meaningless. But it did pass an SPF check.
Conclusion? Neutral.
4. DKIM fail
Authentication-Results: m.wordtothewise.com; dkim=fail (verification failed; insecure key) header.i=@marriott-email.com;
As the mail was sent “from” marriott-email.com it should have been possible for the owner of that domain (presumably the phisher) to sign it with DKIM. That they didn’t isn’t a good sign at all.
Conclusion? Phish.
5. Badly obfuscated headers
From: =?iso-8859-1?B?TWFycmlvdHQgUmV3YXJkcw==?= <Marriott@marriott-email.com>
Subject: =?iso-8859-1?B?WW91ciBBY2NvdW50IJYgVXAgdG8gJDEwMCBjb3Vwb24=?=

Base 64 encoding of headers is an old spammer trick used to make them more difficult for naive spam filters to handle. That doesn’t work well with more modern spam filters, but spammers and phishers still tend to do it so as to make it harder for abuse desks to read the content of phishes forwarded to them with complaints. There’s no legitimate reason to encode plain ascii fields in this way. Spamassassin didn’t like the message because of this.
Conclusion? Phish.
6. Well-crafted multipart/alternative mail, with valid, well-encoded (quoted-printable) plain text and html parts
Just like the branding and spelling, this is very well done for a phish. But again, it’s commonly something that’s stolen from legitimate email and modified slightly.
Conclusion? Real, probably.
7. Typical content links in the email
Most of the content links in the email are to things like “http://marriott-email.com/16433acf1layfousiaey2oniaaaaaalfqkc4qmz76deyaaaaa”, which is consistent with the from address, at least. This isn’t the sort of URL a real company website tends to use, but it’s not that unusual for click tracking software to do something like this.
Conclusion? Neutral
8. Atypical content links in the email
We also have other links:

  • http://bp.specificclick.net?pixid=99015955
  • http://ad.yieldmanager.com/pixel?id=550897&id=95457&id=102672&id=515007&t=2
  • http://ad.doubleclick.net/activity;src=3286198;type=mari1;cat=rwdemls;ord=1; num=[Random Number]?
  • http://ib.adnxs.com/seg?add=1519
  • http://action.mathtag.com/mm//MARI//red?nm=rwdemls&s0=&s1=& s2=&v0=&v1=&ampv2=&ri=[Random Number]
  • http://media.fastclick.net/w/tre?ad_id=26033;evt=13686;cat1=14501;cat2=14505
  • http://images.bfi0.com/creative/spacer.gif

(Those “[Random Number]” bits aren’t me hiding things. That’s literally what is in the email.)
That’s an awful lot of other servers this mail is going to try and contact when you read it. I’m pretty sure that most of those are tracking links (but how many legitimate emails that advertise a single company and which are sent directly by that company, need to use half a dozen independent affiliate tracking links?).
Conclusion? Doesn’t look terribly honest. Maybe some sort of affiliate scam rather than a phish, though.
9. Most of the links in the email go to marriott-email.com, but then immediately redirect to marriott.com.
This shows someone is tracking clicks, which is pretty common for mail sent via ESPs, so as to make click tracking information available to the client without the client having to do any work to capture data on their website.
Conclusion? Real.
10. The unsubscription link goes to a terrible page with a set of checkboxes, rather than providing a simple unsubscription button.
Conclusion? Sadly, that’s a sign that it’s real.
11. Sending network configuration
It was sent from a machine with reverse DNS of dmailer0112.dmx1.bfi0.com, but which claimed to be called dmx1.bfi0.com, not a valid hostname for the IP address it came from.
This is pretty common misconfiguration of the network that happens at larger ESPs with complex outbound smarthost farms. I’d expect a phisher not to have that sort of mistake if they were sending from their own machine or through a botnet. And while “dmx1.bfi0.com” could be an obscure end-user DSL, the reverse DNS of dmailer0112 looks like it’s a system intended to send email, not a botnet.
Conclusion? Real.
Final Conclusion
You’ve probably guessed by now. It’s real email, sent on behalf of Marriott Rewards through one of their ESPs. But if it takes me several minutes of groveling through the mail before I convince myself it’s real, what chance does a typical consumer have of telling the difference between a well targeted phishing email and a typical piece of commercial email?

Related Posts

Time for a real security response

I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists.  These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.

Read More

Clicktracking 2: Electric Boogaloo

A week or so back I talked about clicktracking links, and how to put them together to avoid abuse and blocking issues.
Since then I’ve come across another issue with click tracking links that’s not terribly obvious, and that you’re not that likely to come across, but if you do get hit by it could be very painful – phishing and malware filters in web browsers.
Visting this site may harm your computer
First, some background about how a lot of malware is distributed, what’s known as “drive-by malware”. This is where the hostile code infects the victims machine without them taking any action to download and run it, rather they just visit a hostile website and that website silently infects their computer.
The malware authors get people to visit the hostile website in quite a few different ways – email spam, blog comment spam, web forum spam, banner ads purchased on legitimate websites and compromised legitimate websites, amongst others.
That last one, compromised legitimate websites, is the type we’re interested in. The sites compromised aren’t usually a single, high-profile website. Rather, they tend to be a whole bunch of websites that are running some vulnerable web application – if there’s a security flaw in, for example, WordPress blog software then a malware author can compromise thousands of little blog sites, and embed malware code in each of them. Anyone visiting any of those sites risks being infected, and becoming part of a botnet.
Because the vulnerable websites are all compromised mechanically in the same way, the URLs of the infected pages tend to look much the same, just with different hostnames – http://example.com/foo/bar/baz.html, http://www.somewhereelse.invalid/foo/bar/baz.html and http://a.net/foo/bar/baz.html – and they serve up just the same malware (or, just as often, redirect the user to a site in russia or china that serves up the malware that infects their machine).
A malware filter operator might receive a report about http://example.com/foo/bar/baz.html and decide that it was infected with malware, adding example.com to a blacklist. A smart filter operator might decide that this might be just one example of a widespread compromise, and go looking for the same malware elsewhere. If it goes to http//a.net/foo/bar/baz.html and finds the exact same content, it’ll know that that’s another instance of the infection, and add a.net to the blacklist.
What does this have to do with clickthrough links?
Well, an obvious way to implement clickthrough links is to use a custom hostname for each customer (“click.customer.com“), and have all those pointing at a single clickthrough webserver. It’s tedious to setup the webserver to respond to each hostname as you add a new customer, though, so you decide to have the webserver ignore the hostname. That’ll work fine – if you have customer1 using a clickthrough link like http://click.customer1.com/123/456/789.html you’d have the webserver ignore “click.customer1.com” and just read the information it needs from “123/456/789.html” and send the redirect.
But that means that if you also have customer2, using the hostname click.customer2.com, then the URL http://click.customer2.com/123/456/789.html it will redirect to customer1’s content.
If a malware filter decides that http://click.customer1.com/123/456/789.html redirects to a phishing site or a malware download – either due to a false report, or due to the customers page actually being infected – then they’ll add click.customer1.com to their blacklist, meaning no http://click.customer1.com/ URLs will work. So far, this isn’t a big problem.
But if they then go and check http://click.customer2.com/123/456/789.html and find the same redirect, they’ll blacklist click.customer2.com, and so on for all the clickthrough hostnames of yours they know about. That’ll cause any click on any URL in any email a lot of your customers send out to go to a “This site may harm your computer!” warning – which will end up a nightmare even if you spot the problem and get the filter operators to remove all those hostnames from the blacklist within a few hours or a day.
Don’t let this happen to you. Make sure your clickthrough webserver pays attention to the hostname as well as the path of the URL.
Use different hostnames for different customers clickthrough links. And if you pick a link from mail sent by Customer A, and change the hostname of that link to the clickthrough hostname of Customer B, then that link should fail with an error rather than displaying Customer A’s content.

Read More

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Read More