Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: CSAM: Month of False Positives - Breach Emails? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CSAM: Month of False Positives - Breach Emails?

With all the high profile breaches pretty much every one of us has received a breach notification email in the recent past.  But how many of you could tell if it was legitimate?

Take this email from Target from early in 2014. 

With all the Target Phishing  campaigns going around at the time many people questioned the legitimacy of this email.  At first glance it looks pretty legitimate.  

With all the garbage email we receive most of us have been diliigent that at a minimum we check two things: 

- links in the email point to where the link says it points and that where the link points looks legitimate, 

- sender address, and reply-to, address does not look spoofed

In this case there is only one link in the email and it  points to creditmonitoring.target.com, which is a page in the target.com website.   What made people question the legitimacy was the from email address.  It was sent from TargetNews@target.bfio.com.  Clearly not a Target domain.

It turns out this email is legitimate. bfi0.com is a part of Epsilon Interactive a marketing service that Target uses for customer marketing.  If you check Targets FAQ page it says:

q: how do I prevent Target emails from going to my bulk or junk folder?
A: To make sure you continue to receive Target emails in your personal inbox (not bulk or junk folders), please take a moment to add Target.com [TargetNews@Target.bfi0.com] to your email address book.
 
This one from Fisher Price also looks, and is, legitimate.  
 
---------------
From: "customerservice@fisher-pricestore.com " <service@service.fisher-pricestore.com>
Subject: Important Request from Fisher-Price Online Store
Reply-To: service@service.fisher-pricestore.com


To ensure you receive our Fisher-Price e-mails in your inbox (not bulk or junk folders), please add
service@eservice.fisher-pricestore.com to your address book

Dear Valued Customer,

In order to improve your Fisher-Price Online Store website experience, we have transitioned to a different technology platform. As part of the transition, existing password information has been removed from your account. Before you can login to your account on the new site, you will need to reset your password using the "Forgot Password?" link.

As an added measure of security during the transition, all payment information was also removed from your account. After logging in, please feel free to re-enter that information for fast and easy checkout.

Thank you for your immediate attention to this matter and your continued interest in Fisher-Price Online Store. We look forward to serving you soon!

Sincerely,

Fisher-Price Online Store Customer Service

Please note that this does not affect your password for Fisher-Price.com.  No changes are needed for your Fisher-Price.com account.


Questions? Please contact Customer Service at 1-800-747-8697.
US postal mail address: Mattel Direct, Inc., Attn: Customer Service, PO Box 620978, Middleton, WI 53562-0978
Fisher-Price Privacy Statement | Legal Terms and Conditions
©2014 Mattel, Inc. All Rights Reserved
 
---------------------
 
As far as I know this email did not have anything to do with a breach, just an upgrading of their website security, but Chris, who sent this to the ISC, indicated that it "stank of Phishing".  I must admit that something about this email gave me the heebee jeebees  at first, but at second glance this is one of the better ways of getting users to change credentials.  There are no links in the email only a recommendation to use the websites "Forgot Password" link.
 
What emails have you received that at first glance you thought were phishing/Spam and at second glance you realized were legitimate?
 

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

293 Posts
ISC Handler
In my opinion, techniques for spotting phishing emails (and being able to accurately determine the domain name in a link -- i.e. read the bit just before the first single slash) is about the most important information to pass onto non-technical end-users. So it pretty much forms the centerpiece of my Information Security awareness training efforts. If more folks can get that part right the battle against malicious intrusions is that much easier.

This seems like a good opportunity to give a nod to "phishingquiz.mcafee.com", which contains a mix of legitimate and phishing emails that people can use to test themselves or train others. It's free, no registration needed and I have nothing to do with McAfee. It's just a good free web-based quiz.

I think the part we are missing is how to easily spot phishing emails/messages/SMS on mobile devices. How do you "mouse over" a link on a phone or tablet? Sometimes holding the link for a second or two works, but that's a little scary if you think it might be dangerous. But perhaps the awareness training and functionality need to keep up with the technology better in that area.

Gavin
Gavin

4 Posts
There is a small mistake in the Fisher-Price email: Both the From and Reply-To email addresses are "service@service.fisher-pricestore.com" but it suggests that you add "service@eservice.fisher-pricestore.com" (note "eservice" not "service" after the @) to your address book. Oops!

patermann
patermann

35 Posts

Sign Up for Free or Log In to start participating in the conversation!