You're kidding me

All the authentication and DMARC in the world can’t save you from stupid.
I just got a survey request from my bank. Or, at least, it claimed to be from my bank.

From: Barclays International Banking Survey <internationalbanking@barclayssurveys.com>

The mail passed SPF (though the SPF record suggests this is being mailed from all over the place) and was validly DKIM signed for barclayssurveys.com. And that domain has a DMARC policy
But there’s nothing in any of that that tells me – or mail filters – that this has anything to do with Barclays Bank.
“barclayssurveys.com” is what’s know as a cousin domain in the phishing world. It’s a domain that has absolutely nothing to connect it to the legitimate domain of the phishing target, but which looks plausible to a recipient.
This one didn’t actually look that plausible, though. The website is hosted on a RackSpace VPS with no reverse DNS configured. The domain is registered by “chime.plc.uk” – whose website is just an Outlook Web Access instance:

The survey it links to – the survey that is asking the recipient about their interaction with a financial institution – doesn’t use SSL. (The webserver it’s running on does speak SSL, so the issue is that they didn’t have a certificate for barclayssurveys.com). The URL it uses and the javascript it’s running suggests it was originally taken from Wix, the free website hosting platform. And it has references to several survey providers in the source that are hidden by CSS.

All of which would be suspicious enough if it came from my local dive bar, but this is coming from an international bank that’s big enough, rich enough and technically savvy enough that they own their own top level domain.
No institution can claim to care about phishing or account takeover as an issue when the legitimate email they send is less plausible than a typical phishing mail. This is just setting up their customers to fall for phishing mail.

And, yes, it’s from a legitimate survey firm. One that’s quite widely used in the United Kingdom and Éire. How do I know it’s widely used? Because the mail they send out leaks information about their customers:

X-Confirmit-FixedSenderDomain: factssurvey.co.uk, feedback-waveutilities.co.uk, feedback-anglianwaterbusiness.co.uk, npowersurveys.com, o2surveys.co.uk, gustosurveys.co.uk, customersatisfaction.rbs.co.uk, customersatisfaction.natwest.com, mail.customersatisfaction.rbs.co.uk, mail.customersatisfaction.natwest.com, panel.uk.com, virgintrainseastcoastsurveys.com, barclayssurveys.com, sunnyloanssurveys.com, sagafeedback.co.uk, boxcleversurveys.co.uk, surveys.ulsterbank.ie, sagafeedback.co.uk, barclays.com, titanfeedback.co.uk, barclaycardsurveys.com, aegonfeedback.co.uk, directionsurveys.co.uk

Just from the names I recognize that’s five major high street banks, a payday loan outfit, several utility companies, travel companies and a major cellphone company that are sending survey email that’s this badly done. And that’s probably just the ones that are being sent from this particular mailserver.
That moment when you type "WTF?" into Google image search
I went back and checked where my bank usually sent email from, and how their authentication was normally set up. The previous mail I got from them was a timely warning about “Phishing” and “Smishing” and “Vishing” warning me to be very careful about clicking on links in mail claiming to be from my bank, for fear of being phished.
It was addressed to “%first name%”.

Related Posts

August 2016: The Month in Email

August was a busy month for both Word to the Wise and the larger world of email infrastructure.
IMG_0026
A significant subscription attack targeted .gov addresses, ESPs and over a hundred other industry targets. I wrote about it as it began, and Spamhaus chief executive Steve Linford weighed in in our comments thread. As it continued, we worked with M3AAWG and other industry leaders to share data and coordinate efforts to help senders recover from the attack.
In the aftermath, we wrote several posts about abuse, blocklists, how the industry handles these attacks currently, and how we might address these issues going forward. And obviously this has been on my mind before this attack — I posted about ongoing problems with internet security, how open subscription forms contribute to the problem, and other ways that companies inadvertently support phishing operations.
I posted about the history of email, and recounted some of my earliest experiences, when I had a .bitnet and a .gov address. Did you use email before SMTP? Before email clients? I’d be curious to hear your stories.
Speaking of email clients, I did two posts about how mail gets displayed to the end user: Gmail is displaying authentication results, which should provide end users with a bit more transparency about how authentication is used to deliver or block messages, and Microsoft is partnering with Litmus to improve some of the display issues people face using Outlook. These are both notable — if this is not your first time reading this blog, you know about my constant refrain that delivery is a function of sending people mail they want to engage with. If the mail is properly formatted and displayed, and people have a high degree of confidence that it’s been sent from someone they want to get mail from, that goes a long way towards improving engagement in the channel.
On that note, I spoke at length with Derek Harding about how marketers might change their thinking on deliverability, and he wrote that up for ClickZ. I also participated in the creation of Adobe’s excellent Teaching the Email Marketer How to Fish document (no, not phish…).
Steve was very busy behind the scenes this month thinking about abuse-related topics in light of the SBL issues, but he wrote up a quick post about the Traffic Light Protocol, which is used to denote sensitive information as it is shared.
Finally, for my Ask Laura column this month, I answered questions about delivery and engagement metrics and about permissions with purchased lists. As always, if you have a general question about email delivery, send it along and I’ll consider it for the column.

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More

Phishing increasingly sophisticated

Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing costs companies over 9 billion dollars a year.
Even in the last two weeks we’ve seen 2 major phishing incidents. One targeted Google Docs, one targeted Docusign. Reading the news reports these are different than many of the more common phishing attacks and, to me, represent an evolution in standard phishing techniques.

The Google attack in early May was an evolution in getting access to a Google account. Instead of directing users to a fake Gmail login page, the phish asked users to allow “Google Docs” (actually an app controlled by the phisher) to access to their Google account.
I’m sure all of you have used an app or website that lets you login with Facebook or Gmail or Twitter. This is all done with a protocol called OAuth. OAuth is also how you give access to mailbox management tools like I discussed a few weeks ago.  Basically, OAuth lets users grant access and permission to a site or application using a second site without revealing their username and password. (It’s more complicated than I want to discuss, but if you’re looking for some information check out some of the sites I’ve found: wikipedia, Varonis blog, Digital Ocean knowledge base, or just search google for oauth.)
The switch from asking for a password to asking for access is, to my mind, a significant change. Now we have to be aware of what we’re authorizing and make sure that app isn’t malicious.
The Docusign phish is another evolution.  As I was looking at the phish I received yesterday I realized that it was sent to a tagged address. A tagged address only Docusign had. None of my other, heavily phished, addresses received the phish. None of Steve’s addresses received the phish. This wasn’t a widespread spray and pray phishing attack. The phishers targeted Docusign users. Yesterday afternoon, Docusign confirmed that someone stole user addresses.
This is a switch from just randomly looking for victims to targeting users of a specific service.
Phishing attacks look for the weakest links to gain access to computers, information, and money. The weakest links are always humans. Phishers have adapted to security measures for the last 20 years. There is zero reason that they won’t continue to adapt.
 
 
 

Read More