STOP. SENDING. SURVEYS. FROM.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
-
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
-
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
@0 The one that triggered this was Uber.
There is nothing in the email that even point's to Uber's domain, just 'we're doing this on behalf of Uber, we promise. We'll give you money if you click our link and tell us things'. It's completely indistinguishable from a phishing attempt
-
@babe Sadly it's no better within companies when communicating with employees. What 3rd party is HR using _this_ month without giving everyone a heads-up?
-
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
@WiteWulf @babe which is why i don't like it, but what's the alternative in this case? third parties gonna third party, and I'm not manually checking each of them against the partners and purposes lists from every company i do business with. it's more of a "what can i do with what i have" solution, if they at least give me that. my own threat model doesn't contain personal directed attacks.
-
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
@horsedreamer @babe if only it was surveys. Logging in to your Office 365 account sends you to several different domains, with names like microsoftservices.com, outlook.mcas.ms, windowssecurity.com or whatever.
I know this stuff, and I have no idea if those are legit. We keep telling users to verify the domains, but if not even technical people can figure it out, how is anyone going to be able to do it?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Same with internal surveys that HR departments send out to employees, while the IT department grumps at people for failing its periodic phishing tests.
Those surveys sometimes also have text that says "This is totally anonymous, nobody at the company will ever know who you are, but this link is personalised so don't forward it to anyone else".
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
I have marked legit intra-company e-mail as malicious on the grounds that I can't read the URLs or that it came from a 3rd party service I did not expect.
A lot of services I use -- including banks sometimes -- really like calling me from suspected spam (or outright hidden) numbers. You would think they should at least have dedicated well-known numbers...
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
@babe Oh, and for extra fun, if you're in a company, there's a high possibility that the IT is using an e-mail security service that also rewrites the links (for security of course), making it even less likely to be able to figure out the real origin.
-
@WiteWulf @babe which is why i don't like it, but what's the alternative in this case? third parties gonna third party, and I'm not manually checking each of them against the partners and purposes lists from every company i do business with. it's more of a "what can i do with what i have" solution, if they at least give me that. my own threat model doesn't contain personal directed attacks.
@horsedreamer @babe ah, sorry, I didn’t grasp the full context. Apologies.
Umm, what’s better? Good question. The “trusted” third-party thing isn’t a thing, as they implicitly can’t be trusted, can they?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe I just don't respond to surveys any more, because there are too many.
Recently stayed at a hotel with breakfast included, and for each and every day of my stay I had (i) an email confirming my reservation in the restaurant for breakfast, and (ii) an email asking me to complete a survey on my dining experience...
-
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
@WiteWulf @horsedreamer @babe
While not wrong, this misses the point.No, having the correct company domain does not show that an email isn't a scam.
But sending from a domain clearly not related to the company IS an obvious sign of a scam.
Positive vs negative verification.
Unfortunately, "make it look like a scam" is on page one of every book on corporate "best practices".
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
@jernej__s @babe in my last job one of the dead giveaway signs of a phishing test (not actual phishing, just the internal testing) was that links went to bare domains, and not the internal link filtering domain. It was comical how stupid it was.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Once upon a time I was working in a cybersecurity company. Of course we got phising reminders, trainings, and could report emails,
So, after a strict reminder not to click on suspicious links in emails, check domains &c, we got this email for registering for a company party. It was from a third party company, the email came from their domain. The registration link was an another domain. Of course our company was only mentioned in the text.
1/2
-
@babe Once upon a time I was working in a cybersecurity company. Of course we got phising reminders, trainings, and could report emails,
So, after a strict reminder not to click on suspicious links in emails, check domains &c, we got this email for registering for a company party. It was from a third party company, the email came from their domain. The registration link was an another domain. Of course our company was only mentioned in the text.
1/2
@babe Of course it was reported multiple times as phising. The next day the management was annoyed if not angry why we did report obviously non-malicious emails and we should register using these links!
They were explained that this looked very much like phishing and please could they tell how we should know.
After that there was usually an email from the mgmt which said that yes, the next phising email is not phishing.
But I still think that was a bad solution.
2/2
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".
Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.
-
@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".
Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
-
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
@Fettlaus And this kind of goes in with part of the risk involved in these practices.
Right now I'm confident the survey from a partner of Uber (which triggered this rant) is legit. But given nothing links to uber, what's to stop a scammer from copying it wholesale? It's the kind of thing that is ripe for scammers to use
-
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
@imsop @babe I would say that at a bare minimum, mail sent on your domain's behalf needs to come from a host in that domain's SPF info.
I've seen even *password reset* mail come from the great elsewhere, and of course arriving long after any timeout.
But apparently even those deliveries succeed often enough that the misconfigurations persist.
At the cost, in most cases, of me not continuing to be their customer or member.
