Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-10-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CSAM: Month of False Positives - Breach Emails?

Published: 2014-10-10
Last Updated: 2014-10-11 13:32:40 UTC
by Rick Wanner (Version: 1)
2 comment(s)

With all the high profile breaches pretty much every one of us has received a breach notification email in the recent past.  But how many of you could tell if it was legitimate?

Take this email from Target from early in 2014. 

With all the Target Phishing  campaigns going around at the time many people questioned the legitimacy of this email.  At first glance it looks pretty legitimate.  

With all the garbage email we receive most of us have been diliigent that at a minimum we check two things: 

- links in the email point to where the link says it points and that where the link points looks legitimate, 

- sender address, and reply-to, address does not look spoofed

In this case there is only one link in the email and it  points to creditmonitoring.target.com, which is a page in the target.com website.   What made people question the legitimacy was the from email address.  It was sent from TargetNews@target.bfio.com.  Clearly not a Target domain.

It turns out this email is legitimate. bfi0.com is a part of Epsilon Interactive a marketing service that Target uses for customer marketing.  If you check Targets FAQ page it says:

q: how do I prevent Target emails from going to my bulk or junk folder?
A: To make sure you continue to receive Target emails in your personal inbox (not bulk or junk folders), please take a moment to add Target.com [TargetNews@Target.bfi0.com] to your email address book.
 
This one from Fisher Price also looks, and is, legitimate.  
 
---------------
From: "customerservice@fisher-pricestore.com " <service@service.fisher-pricestore.com>
Subject: Important Request from Fisher-Price Online Store
Reply-To: service@service.fisher-pricestore.com


To ensure you receive our Fisher-Price e-mails in your inbox (not bulk or junk folders), please add
service@eservice.fisher-pricestore.com to your address book

Dear Valued Customer,

In order to improve your Fisher-Price Online Store website experience, we have transitioned to a different technology platform. As part of the transition, existing password information has been removed from your account. Before you can login to your account on the new site, you will need to reset your password using the "Forgot Password?" link.

As an added measure of security during the transition, all payment information was also removed from your account. After logging in, please feel free to re-enter that information for fast and easy checkout.

Thank you for your immediate attention to this matter and your continued interest in Fisher-Price Online Store. We look forward to serving you soon!

Sincerely,

Fisher-Price Online Store Customer Service

Please note that this does not affect your password for Fisher-Price.com.  No changes are needed for your Fisher-Price.com account.


Questions? Please contact Customer Service at 1-800-747-8697.
US postal mail address: Mattel Direct, Inc., Attn: Customer Service, PO Box 620978, Middleton, WI 53562-0978
Fisher-Price Privacy Statement | Legal Terms and Conditions
©2014 Mattel, Inc. All Rights Reserved
 
---------------------
 
As far as I know this email did not have anything to do with a breach, just an upgrading of their website security, but Chris, who sent this to the ISC, indicated that it "stank of Phishing".  I must admit that something about this email gave me the heebee jeebees  at first, but at second glance this is one of the better ways of getting users to change credentials.  There are no links in the email only a recommendation to use the websites "Forgot Password" link.
 
What emails have you received that at first glance you thought were phishing/Spam and at second glance you realized were legitimate?
 

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
2 comment(s)

Microsoft Security Bulletin Advance Notification for October 2014

Published: 2014-10-10
Last Updated: 2014-10-10 09:18:30 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

Microsoft have announced the heads-up for this month security patches. With nine bulletins three are rated as critical, one as moderate and five as important.

https://technet.microsoft.com/library/security/ms14-oct

 

 

Keywords:
0 comment(s)
ISC StormCast for Friday, October 10th 2014 http://isc.sans.edu/podcastdetail.html?id=4187
Diary Archives