STOP. SENDING. SURVEYS. FROM.
-
@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".
Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
-
@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!
@Fettlaus And this kind of goes in with part of the risk involved in these practices.
Right now I'm confident the survey from a partner of Uber (which triggered this rant) is legit. But given nothing links to uber, what's to stop a scammer from copying it wholesale? It's the kind of thing that is ripe for scammers to use
-
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
@imsop @babe I would say that at a bare minimum, mail sent on your domain's behalf needs to come from a host in that domain's SPF info.
I've seen even *password reset* mail come from the great elsewhere, and of course arriving long after any timeout.
But apparently even those deliveries succeed often enough that the misconfigurations persist.
At the cost, in most cases, of me not continuing to be their customer or member.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe and if they don't want to host the actual surveys themselves, redirects exist
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Especially when that means they've leaked the separate email address I gave to their org via the survey company.
-
@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.
It's like holding a masked ball, and then complaining that people didn't watch each others faces.
-
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Every cloud platform makes me rage for this. yourorganization.whoeverythisis.com being the pattern everyone should just trust and use SSO with?
Or Microsoft which thinks a single Teams workflow should have a user connect to teams.microsoft.com, my.sharepoint.com, planner.cloud.microsoft, and login.microsoftonline.com and hope users will still notice a lookalike phishing domain.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe but… that would be RUDE!?
-
FILL OUT THIS SURVEY FOR A FINANCIAL REWARD! is even worse. You're offering remuneration to customers for the watering down of their good security practices.
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe i bought a car and the dealership pre-scheduled maintenance appointments for me, without telling me about this at all. They sent a link to my phone from an unfamiliar 5 digit number, not affiliated with the dealership or manufacturer. i fully ignored it thinking it was a scam text. In Ohio, registration is public record so scammers love to buy the reg records so they know your exact car down to the full VIN
-
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
@Nonya_Bidniss One of the common cornerstones of an autodidact's education is being a wordsy bitch. I'd kick myself if I got it wrong!
-
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
@Nonya_Bidniss@infosec.exchange at a previous job, we had a database table called
renumeration, it confused everyone
it didn't even track salaries! (I think it tracked money we owed to clients)
@babe@glitterkitten.co.uk -
@lesbianhacker @babe Training worked then.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe My own company sends out internal emails that are more like phish than any real one. Sender: not in our global address book. Subject line: You are overdue for training. Body: Click on this PDF file for details.
I sent it to our security folks (it's a big company), and they said, "If it isn't marked "External" it's safe. Uh, where were you in 2010 when our email servers were being run by the Chinese MSS?
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
I've tried to get this through to companies like, for instance, my bank, with little success.
Before I finally managed to "opt out" of the last of their marketing / promotional email, I would get two kinds of messages from them:
1) Regular reminders of secure practice, and how you can't trust who an email comes from, and you should therefore never, ever click a link in an email claiming to be from them.
2) Constant spam for their products and services, all replete with links to follow to get them. These mails all came through outside agencies, from Mailchimp or similar, and with all the links going through a click tracker in some random advertising company's domain.
I couldn't even get their two departments to talk to each other about this.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe disagree. I would rather pay a payments company than your own website I can't audit and I'd rather do surveys at a known survey site than through your domain.
Trust within a domain matters.
#sysadmin #cybersecurity -
R relay@relay.infosec.exchange shared this topic
I got one of these today from my bank 
