STOP. SENDING. SURVEYS. FROM.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe@glitterkitten.co.uk Those really aggravate me.
It's one thing if someone on social media announces a survey via their normal social media channels, but emails coming out of nowhere? Yeah, that's bad.
And some of them being legitimate(to the extent this sort of thing can be legitimate)... yeah, worse. Just makes this sort of thing look plausible.
If I can't get to it via a normal login to the company/service website, it might as well not exist for me. -
@babe Seems like a good thing to be compensated for the time and effort to complete a survey. I usually decline the survey if there's no compensation.
@fathermcgruder@jorts.horse @babe@glitterkitten.co.uk The problem comes when it encourages people to click links to random websites without a clear connection to the entity the email claims to be running the survey.
When a financial reward is a plausible outcome of clicking a link in an email, it's going to be a lot easier to convince people to click on a phishing link.
That said, paid surveys are nice but no matter how plausible a given email seems, don't click anything. Reach out to their customer service to verify if you really want to, just don't click the link without checking(and don't trust the CS contacts in the email, go to their website) -
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe you wanna know who's really guilty of this? US Government Agencies. Like seriously c'mon guys!
-
R relay@relay.mycrowd.ca shared this topic
-
@littlemike I am screaming internally every time
@babe I totally agree. I didn't even bother clicking on the link to leave a review. Hell I didn't even go to the site manually and leave a review because I was so mad lol
-
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
@babe every now and then some bright spark in the office will give our entire address book to some third party for some purpose, and not tell me. I've purged maybe a dozen of these so far, ranging from salary sacrifice deals to changes in our payslip provider. All legit, but looking dodgy as fuck.
I think they're all (mainly HR, Finance, Marketing) well trained enough now to send a warning email to let me know in advance, but I'm not certain. -
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe
Preaching to the choir sure feels good sometimes
-
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
@babe worst part about this is that many third party survey services allow the users to use a custom domain, so for any company with IT/ops that know what they're doing it would be easy to set it up on a subdomain of their primary one
-
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
-
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
-
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
@0 The one that triggered this was Uber.
There is nothing in the email that even point's to Uber's domain, just 'we're doing this on behalf of Uber, we promise. We'll give you money if you click our link and tell us things'. It's completely indistinguishable from a phishing attempt
-
@babe Sadly it's no better within companies when communicating with employees. What 3rd party is HR using _this_ month without giving everyone a heads-up?
-
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
@WiteWulf @babe which is why i don't like it, but what's the alternative in this case? third parties gonna third party, and I'm not manually checking each of them against the partners and purposes lists from every company i do business with. it's more of a "what can i do with what i have" solution, if they at least give me that. my own threat model doesn't contain personal directed attacks.
-
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
@horsedreamer @babe if only it was surveys. Logging in to your Office 365 account sends you to several different domains, with names like microsoftservices.com, outlook.mcas.ms, windowssecurity.com or whatever.
I know this stuff, and I have no idea if those are legit. We keep telling users to verify the domains, but if not even technical people can figure it out, how is anyone going to be able to do it?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Same with internal surveys that HR departments send out to employees, while the IT department grumps at people for failing its periodic phishing tests.
Those surveys sometimes also have text that says "This is totally anonymous, nobody at the company will ever know who you are, but this link is personalised so don't forward it to anyone else".
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
I have marked legit intra-company e-mail as malicious on the grounds that I can't read the URLs or that it came from a 3rd party service I did not expect.
A lot of services I use -- including banks sometimes -- really like calling me from suspected spam (or outright hidden) numbers. You would think they should at least have dedicated well-known numbers...
-
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
@babe Oh, and for extra fun, if you're in a company, there's a high possibility that the IT is using an e-mail security service that also rewrites the links (for security of course), making it even less likely to be able to figure out the real origin.
-
@WiteWulf @babe which is why i don't like it, but what's the alternative in this case? third parties gonna third party, and I'm not manually checking each of them against the partners and purposes lists from every company i do business with. it's more of a "what can i do with what i have" solution, if they at least give me that. my own threat model doesn't contain personal directed attacks.
@horsedreamer @babe ah, sorry, I didn’t grasp the full context. Apologies.
Umm, what’s better? Good question. The “trusted” third-party thing isn’t a thing, as they implicitly can’t be trusted, can they?
