Last Updated: 2008-02-26 04:16:02 UTC
by Lenny Zeltser (Version: 1)
Customers are beginning to lose trust in email. With good reason: it is easy to spoof and it has been a leading threat vector for phishing and malware attacks. This means that you need to be extra careful when sending mass-email to your customers.
Earlier this month I received a message that claimed to be from Amtrak [firstname.lastname@example.org]. It said:
Changes Coming to Your Amtrak.com Login
In an effort to streamline the login process and communicate more effectively with our customers, we will be changing the way you access your Amtrak.com account in a few weeks. Prior to this update, we ask that you log in to verify the accuracy of the information in your account.
• Go to Amtrak.com Now and Update Your Profile
This change will not affect how Amtrak Guest Rewards members log into amtrakguestrewards.com. [The message continued... Cut for brevity.]
I cannot complain about the text of the message. Unfortunately, the words "Go to Amtrak.com Now and Update Your Profile" were a hyperlink that led to a third-party website, amtrak.bfi0.com. The same was the case with a few other links embedded at the bottom of the message.
Links to websites not associated with the company's recognizable domain are a tell-tale sign of a phishing message. It seems that the message was authentic after all, but how were the customers to know? A phishing message targeting Amtrak customers would look exactly like this, though it would point to some other cryptically-named domain instead of amtrak.bfi0.com.
Companies often use mass-mailing services to send out such communications and to collect click-through statistics. This mail be appropriate for marketing-type messages, but is not wise for sensitive communications that deal with logon procedures or credentials.
If you need to send a sensitive mass email to your customers, consider:
- Do not include any links in the message at all. Instead, ask the recipient to visit your company's website using the address they know (www.companyname.com) or have bookmarked in the past.
- If you need to include links, make sure they are to websites hosted under your company's recognizable domain, such as abc.companyname.com. For bonus points, use an HTTPS link, instead of HTTP, with a valid SSL certificate to help the customers validate your site's authenticity.
- Warn the customers in advance that they will receive an email from you via a status update on your website or in the regular reports you may already deliver to your customers. Explain how the customers can confirm the authenticity of your message.
Do you have any suggestions for communicating with customers via email? Let us know.
Update: David Wharton wrote to share his experiences handling phishing campaigns against his bank's customers. Sometimes he sees "phishing emails that contain valid (non-phish) links and do not point to a phish site. The links to login actually go to our login page. My only thought as to the reason they would do that is to add to overall customer confusion." Indeed, adding to customer confusion could be a reason for seeing valid URLs in phishing messages. Alternatively, we may be seeing these messages in the early testing phase. Finally (as was pointed out by another ISC handler), the senders of these messages may be targeting victims whose DNS records may have been tampered with, so when they access www.companyname.com, they will be pointed to an IP address of the attacker's server.
Update 2: Ned Slider mentioned that another reason for phishing emails containing links to legitimate sites could be that "the phish victim may already be infected with keylogging malware designed to capture authentication on legitimate websites." (Looks like T. K. had the same idea, and posted it in the comments to this diary.)
Update 3: John Silvestri pointed out that Steven Bellovin described his perspective on the same Amtrak email earlier this month in his blog. Thanks for the pointer, John!
Update 4: Ray Ellington recommended that senders use DomainKeys, "an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" (according to Wikipedia). Ray mentioned that "most people probably don't even notice since you must click 'Details' in most web based email browsers to see that it has been signed. But for those who understand what digital signing of email is they can click" and confirm the message's origin.
Security Consulting - SAVVIS, Inc.
Lenny teaches a SANS course on analyzing malware.