How not to write a mass email to your customers.

Published: 2008-02-25
Last Updated: 2008-02-26 04:16:02 UTC
by Lenny Zeltser (Version: 1)
3 comment(s)

Customers are beginning to lose trust in email. With good reason: it is easy to spoof and it has been a leading threat vector for phishing and malware attacks. This means that you need to be extra careful when sending mass-email to your customers.

Earlier this month I received a message that claimed to be from Amtrak [amtrak@amtrak.bfi0.com]. It said:

Dear Customer,

Changes Coming to Your Amtrak.com Login

In an effort to streamline the login process and communicate more effectively with our customers, we will be changing the way you access your Amtrak.com account in a few weeks. Prior to this update, we ask that you log in to verify the accuracy of the information in your account.
•    Go to Amtrak.com Now and Update Your Profile
This change will not affect how Amtrak Guest Rewards members log into amtrakguestrewards.com. [The message continued... Cut for brevity.]

I cannot complain about the text of the message. Unfortunately, the words "Go to Amtrak.com Now and Update Your Profile" were a hyperlink that led to a third-party website, amtrak.bfi0.com. The same was the case with a few other links embedded at the bottom of the message.

Links to websites not associated with the company's recognizable domain are a tell-tale sign of a phishing message. It seems that the message was authentic after all, but how were the customers to know? A phishing message targeting Amtrak customers would look exactly like this, though it would point to some other cryptically-named domain instead of amtrak.bfi0.com.

Companies often use mass-mailing services to send out such communications and to collect click-through statistics. This mail be appropriate for marketing-type messages, but is not wise for sensitive communications that deal with logon procedures or credentials.

If you need to send a sensitive mass email to your customers, consider:

  • Do not include any links in the message at all. Instead, ask the recipient to visit your company's website using the address they know (www.companyname.com) or have bookmarked in the past.
  • If you need to include links, make sure they are to websites hosted under your company's recognizable domain, such as abc.companyname.com. For bonus points, use an HTTPS link, instead of HTTP, with a valid SSL certificate to help the customers validate your site's authenticity.
  • Warn the customers in advance that they will receive an email from you via a status update on your website or in the regular reports you may already deliver to your customers. Explain how the customers can confirm the authenticity of your message.

Do you have any suggestions for communicating with customers via email? Let us know.

Update: David Wharton wrote to share his experiences handling phishing campaigns against his bank's customers. Sometimes he sees "phishing emails that contain valid (non-phish) links and do not point to a phish site.  The links to login actually go to our login page.  My only thought as to the reason they would do that is to add to overall customer confusion." Indeed, adding to customer confusion could be a reason for seeing valid URLs in phishing messages. Alternatively, we may be seeing these messages in the early testing phase. Finally (as was pointed out by another ISC handler), the senders of these messages may be targeting victims whose DNS records may have been tampered with, so when they access www.companyname.com, they will be pointed to an IP address of the attacker's server.

Update 2: Ned Slider mentioned that another reason for phishing emails containing links to legitimate sites could be that "the phish victim may already be infected with keylogging malware designed to capture authentication on legitimate websites." (Looks like T. K. had the same idea, and posted it in the comments to this diary.)

Update 3: John Silvestri pointed out that Steven Bellovin described his perspective on the same Amtrak email earlier this month in his blog. Thanks for the pointer, John!

Update 4: Ray Ellington recommended that senders use DomainKeys, "an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" (according to Wikipedia). Ray mentioned that "most people probably don't even notice since you must click 'Details' in most web based email browsers to see that it has been signed. But for those who understand what digital signing of email is they can click" and confirm the message's origin.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.

Keywords:
3 comment(s)

Comments

That's really quite bad. It almost looks like legit companies (or their PR agencies) taking tips from the phishers!
I can think of one other possibility brought up in that update. I don't know of any attacks doing this so this is completely hypothetical. Let's say a person's computer has been hit with a keylogger virus that phones home with login information. Using whatever information they've gleaned, they send you an email prompting you to log in to a legitimate site. The customer sees it is the correct site so proceeds as requested. Now the keylogger has the login information for the bank account.

There are a couple of weaknesses in this situation since most of these virus authors want the highest payback for the least amount of work, so I doubt they'd want to parse through a bunch of information just to find out what bank you use so they could carefully craft a specific email to "trick" the user into logging into a legitimate banking site. Dunno...just brain ooze. ;)
I thought this looked familiar - Steve Bellovin discussed this same e-mail campaign not too long ago:
http://www.cs.columbia.edu/~smb/blog/2008-02/2008-02-13.html

Diary Archives