You're kidding me

All the authentication and DMARC in the world can’t save you from stupid.
I just got a survey request from my bank. Or, at least, it claimed to be from my bank.

From: Barclays International Banking Survey <internationalbanking@barclayssurveys.com>

The mail passed SPF (though the SPF record suggests this is being mailed from all over the place) and was validly DKIM signed for barclayssurveys.com. And that domain has a DMARC policy
But there’s nothing in any of that that tells me – or mail filters – that this has anything to do with Barclays Bank.
“barclayssurveys.com” is what’s know as a cousin domain in the phishing world. It’s a domain that has absolutely nothing to connect it to the legitimate domain of the phishing target, but which looks plausible to a recipient.
This one didn’t actually look that plausible, though. The website is hosted on a RackSpace VPS with no reverse DNS configured. The domain is registered by “chime.plc.uk” – whose website is just an Outlook Web Access instance:

The survey it links to – the survey that is asking the recipient about their interaction with a financial institution – doesn’t use SSL. (The webserver it’s running on does speak SSL, so the issue is that they didn’t have a certificate for barclayssurveys.com). The URL it uses and the javascript it’s running suggests it was originally taken from Wix, the free website hosting platform. And it has references to several survey providers in the source that are hidden by CSS.

All of which would be suspicious enough if it came from my local dive bar, but this is coming from an international bank that’s big enough, rich enough and technically savvy enough that they own their own top level domain.
No institution can claim to care about phishing or account takeover as an issue when the legitimate email they send is less plausible than a typical phishing mail. This is just setting up their customers to fall for phishing mail.

And, yes, it’s from a legitimate survey firm. One that’s quite widely used in the United Kingdom and Éire. How do I know it’s widely used? Because the mail they send out leaks information about their customers:

X-Confirmit-FixedSenderDomain: factssurvey.co.uk, feedback-waveutilities.co.uk, feedback-anglianwaterbusiness.co.uk, npowersurveys.com, o2surveys.co.uk, gustosurveys.co.uk, customersatisfaction.rbs.co.uk, customersatisfaction.natwest.com, mail.customersatisfaction.rbs.co.uk, mail.customersatisfaction.natwest.com, panel.uk.com, virgintrainseastcoastsurveys.com, barclayssurveys.com, sunnyloanssurveys.com, sagafeedback.co.uk, boxcleversurveys.co.uk, surveys.ulsterbank.ie, sagafeedback.co.uk, barclays.com, titanfeedback.co.uk, barclaycardsurveys.com, aegonfeedback.co.uk, directionsurveys.co.uk

Just from the names I recognize that’s five major high street banks, a payday loan outfit, several utility companies, travel companies and a major cellphone company that are sending survey email that’s this badly done. And that’s probably just the ones that are being sent from this particular mailserver.
That moment when you type "WTF?" into Google image search
I went back and checked where my bank usually sent email from, and how their authentication was normally set up. The previous mail I got from them was a timely warning about “Phishing” and “Smishing” and “Vishing” warning me to be very careful about clicking on links in mail claiming to be from my bank, for fear of being phished.
It was addressed to “%first name%”.

Related Posts

Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Read More

Mail Client Improvements

There’s been extensive and ongoing development of email through the years, but much of it has been behind the scenes. We were focused on the technology and safety and robustness of the channel. We’re not done yet, but things are much better than they were.
The good part of that is there is some space to make improvements to the inbox as well. Over the last few months there have been a number of announcements from different mail client providers about how they’re updating their mail client.

Read More

Anatomy of a successful phishing attempt

Earlier this year the Exploratorium was the victim of a phishing attack. They’ve posted an article on what happened and how they discovered and dealt with the issue.
But they didn’t just report on the attack, they dissected it. And, as is appropriate for a organization with a mission of education, they mapped out what they discovered during the investigation.

There are a couple of things that stand out to me about this attack. One is that of the more interesting pieces to me is that there was a delay between the compromise and the start of the attack. The Exploratorium calls it “the pivot” and describes it as the hacker deciding what to do next. The second is that the phisher actively interacted with the victim’s account. All new mail was sent to the trash automatically so she wouldn’t see incoming mail. Some mail was actively replied to so more people would click on the message. The phisher took steps to retain access to the account for as long as possible.
One thing that the Exploratorium didn’t see was any actual access to Exploratorium files or information. That may be because the Exploratorium itself wasn’t the target. Once a phisher / hacker has access to the email account, they have access to almost everything in your online life: calendars, bank accounts, credit accounts, the list goes on. Email addresses are our online identity and getting access to the address can open access to so much more.
Quite frankly it can happen to any of us. Earlier this week we received a phishing message that looked very plausible. It came from a law firm, mentioned a subpoena and even had an attachment personalized to our company. The attachment wasn’t opened so we were fine, but I can see how that kind of email might trick someone into getting infected.
We all need to be careful online. Email is a wonderful thing, but it’s insecure. It’s a great way for criminals to get into our space and wreck havoc on our computers and our lives.
 

Read More