Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

The year is 2006. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2011. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2022. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

Corporations haven’t learned. Unfortunately, their customers have learned from all this training. And so has the fraud industry. Even if you’re usually savvy about this sort of thing, you can get caught up if the circumstances put you just off-balance enough to line up the holes in each overlapping layer of security.

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don’t know how to pronounce my bank’s name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch – they didn’t raise red flags. Cory Doctorow on “Swiss-cheese security.”

And here I am, in 2024, complaining on my blog about…well…you know.

Phishers: Hi, we’re your bank, please click on this attachment for important information.

Security experts: Never click on an unexpected attachment in an email even if you think you know who it’s from. It’s likely to be malware or a scam to steal your login credentials.

Actual banks: Hi, we’re your bank, please click on this attachment for important information. 🤦‍♂️

Seriously, I HATE these systems. The way they keep phishing and malware techniques believable — and have for years! — is worse than any supposed security advantage in not just using email. Half the time the info isn’t any more sensitive than a receipt would be. Or heck, even just “There’s a new message in your account, please log in to see it and use your own bookmarks to get there.” That’s actually more secure!

:sigh:

It’s really too bad all the schemes to add end-to-end security to email over the years have been either too cumbersome to take off for general usage or vendor-specific.

Banner: Comic-Con International

If you’re trying to get a message out, or provide a service, analytics are great. They tell you what’s working and what’s not, so you can focus on what does work. Unfortunately, when it comes to email, a lot of organizations use a third-party click-tracking service, which registers which mailing the user clicked on, then redirects them to the real website.

Why do I say unfortunately?

Because it’s what phishing does: Sets up a link that looks like it goes one place, but sends you somewhere else instead. In the case of a legitimate email with a click tracker, you end up at the real site eventually. In the case of a phishing message, you end up at a fake login page that wants to capture your username & password, or a site with drive-by malware downloads. Using this technique in legit mail trains people to ignore warning signs, making them more vulnerable to the bad guys. And it makes it harder for security software to detect phishing automatically.

Now add another reason: You don’t control that click-tracking service, so it had better be reliable.

That’s what happened with Comic-Con registration today.

Getting tickets to San Diego Comic-Con used to be a breeze, but last year the system broke down repeatedly. It took them three tries, with multiple handlers, to open a registration system that didn’t melt in the first few minutes.

A few days ago, Comic-Con International sent out a message with the date and time registration would open, and a link to where the page would be when it went live. They went to a lot of trouble to make sure their servers could handle the load, as did the company handling registration. They built a “waiting room” to make sure that people trying to buy tickets would get feedback, and get into a queue, when they arrived, but could still be filtered into the registration system slowly enough not to overwhelm it.

The weak link: The click tracker.

Continue reading

I’ve dealt with a couple of companies that try to plug the general lack of security in email by using a “secure email” service. The way this works is:

  1. The company sends you an email with a link to a third-party or co-branded website, asking you to click on it in order to read important information about your financial/insurance/whatever account. (Or better yet, the third party site sends you the mail on the company’s behalf.)
  2. You click on the link and open the site in your web browser.
  3. You register for the site (which usually involves entering your name, choosing a password, and possibly entering other personal detail like a reminder question.)
  4. You log into the site and actually read the message.

Can you see what the problem is?

That’s right: Steps 1-3 are exactly what you see in a phishing attack. Only in a phishing attack, the third-party site is a fake that’s trying to collect account information (like your login and password) or personal information (like your SSN).

So while they may be solving the immediate problem of “someone might intercept this message,” they’re perpetuating a broader problem by training people to fall for phishing attacks.

Sadly, this is not new.

Update 2022: A decade later, they’re still doing it.