Tuesday, April 23, 2013

I thought I taught you not to click...

For years, the computer security industry has worked to educate computer users to avoid phishing scams and malware spread via email. One of the most basic rules of thumb is not to click links or attachments in email unless you are certain of the sender. We teach to look at the sender's address for out-of-place characters such as G00GLE instead of GOOGLE (zeros in place of "oh's"). We say to look out for added characters (googlecom.com instead of google.com). We say not to trust what the text in a link says, but to hover over a link and see what URL shows up in the status bar (for instance, the text www.google.com in fact is a link to yahoo.com - hover over it and see for yourself). And we teach that a legitimate service will never ask for your password over email (instead we will direct you to login to our web site).

And then we in the industry go and do boneheaded things that go against the very things we teach.

Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.

It's the way this email was presented that I have a problem with.

1. The sender was [email protected] Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?

2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.

3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.

Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.

The takeaways are twofold:

For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.

For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.