Tuesday, April 23, 2013

I thought I taught you not to click...

For years, the computer security industry has worked to educate computer users to avoid phishing scams and malware spread via email. One of the most basic rules of thumb is not to click links or attachments in email unless you are certain of the sender. We teach to look at the sender's address for out-of-place characters such as G00GLE instead of GOOGLE (zeros in place of "oh's"). We say to look out for added characters (googlecom.com instead of google.com). We say not to trust what the text in a link says, but to hover over a link and see what URL shows up in the status bar (for instance, the text www.google.com in fact is a link to yahoo.com - hover over it and see for yourself). And we teach that a legitimate service will never ask for your password over email (instead we will direct you to login to our web site).

And then we in the industry go and do boneheaded things that go against the very things we teach.

Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.

It's the way this email was presented that I have a problem with.

1. The sender was [email protected]. Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?

2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.

3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.

Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.

The takeaways are twofold:

For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.

For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen