STOP. SENDING. SURVEYS. FROM.
-
@WiteWulf @babe which is why i don't like it, but what's the alternative in this case? third parties gonna third party, and I'm not manually checking each of them against the partners and purposes lists from every company i do business with. it's more of a "what can i do with what i have" solution, if they at least give me that. my own threat model doesn't contain personal directed attacks.
@horsedreamer @babe ah, sorry, I didn’t grasp the full context. Apologies.
Umm, what’s better? Good question. The “trusted” third-party thing isn’t a thing, as they implicitly can’t be trusted, can they?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe I just don't respond to surveys any more, because there are too many.
Recently stayed at a hotel with breakfast included, and for each and every day of my stay I had (i) an email confirming my reservation in the restaurant for breakfast, and (ii) an email asking me to complete a survey on my dining experience...
-
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
@WiteWulf @horsedreamer @babe
While not wrong, this misses the point.No, having the correct company domain does not show that an email isn't a scam.
But sending from a domain clearly not related to the company IS an obvious sign of a scam.
Positive vs negative verification.
Unfortunately, "make it look like a scam" is on page one of every book on corporate "best practices".
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
@jernej__s @babe in my last job one of the dead giveaway signs of a phishing test (not actual phishing, just the internal testing) was that links went to bare domains, and not the internal link filtering domain. It was comical how stupid it was.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Once upon a time I was working in a cybersecurity company. Of course we got phising reminders, trainings, and could report emails,
So, after a strict reminder not to click on suspicious links in emails, check domains &c, we got this email for registering for a company party. It was from a third party company, the email came from their domain. The registration link was an another domain. Of course our company was only mentioned in the text.
1/2
-
@babe Once upon a time I was working in a cybersecurity company. Of course we got phising reminders, trainings, and could report emails,
So, after a strict reminder not to click on suspicious links in emails, check domains &c, we got this email for registering for a company party. It was from a third party company, the email came from their domain. The registration link was an another domain. Of course our company was only mentioned in the text.
1/2
@babe Of course it was reported multiple times as phising. The next day the management was annoyed if not angry why we did report obviously non-malicious emails and we should register using these links!
They were explained that this looked very much like phishing and please could they tell how we should know.
After that there was usually an email from the mgmt which said that yes, the next phising email is not phishing.
But I still think that was a bad solution.
2/2
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".
Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.
-
@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".
Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
-
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
@Fettlaus And this kind of goes in with part of the risk involved in these practices.
Right now I'm confident the survey from a partner of Uber (which triggered this rant) is legit. But given nothing links to uber, what's to stop a scammer from copying it wholesale? It's the kind of thing that is ripe for scammers to use
-
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
@imsop @babe I would say that at a bare minimum, mail sent on your domain's behalf needs to come from a host in that domain's SPF info.
I've seen even *password reset* mail come from the great elsewhere, and of course arriving long after any timeout.
But apparently even those deliveries succeed often enough that the misconfigurations persist.
At the cost, in most cases, of me not continuing to be their customer or member.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe and if they don't want to host the actual surveys themselves, redirects exist
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Especially when that means they've leaked the separate email address I gave to their org via the survey company.
-
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
-
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Every cloud platform makes me rage for this. yourorganization.whoeverythisis.com being the pattern everyone should just trust and use SSO with?
Or Microsoft which thinks a single Teams workflow should have a user connect to teams.microsoft.com, my.sharepoint.com, planner.cloud.microsoft, and login.microsoftonline.com and hope users will still notice a lookalike phishing domain.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe but… that would be RUDE!?
-
FILL OUT THIS SURVEY FOR A FINANCIAL REWARD! is even worse. You're offering remuneration to customers for the watering down of their good security practices.
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe i bought a car and the dealership pre-scheduled maintenance appointments for me, without telling me about this at all. They sent a link to my phone from an unfamiliar 5 digit number, not affiliated with the dealership or manufacturer. i fully ignored it thinking it was a scam text. In Ohio, registration is public record so scammers love to buy the reg records so they know your exact car down to the full VIN
I got one of these today from my bank 
