Does your breach email notification look like a phish?

Published: 2013-03-29
Last Updated: 2013-03-29 01:51:24 UTC
by Chris Mohan (Version: 1)
5 comment(s)


With the continual cycle of systems being compromised and customer data being stolen, using email notification is a fast, easy and direct method to send out warnings and advice to the unfortunate victims. It’s the one way, other than physical interaction (Phone calls, personal visits while offering a warm cup of tea and a sad smile or hiring street criers calling out the names of the afflicted in every town in the land…) that means all the right people do get notified, well, if they read their emails. It’s a defacto standard to communication so surely we’ve worked out how to use it properly.
One group that uses email to great success are phishers. Here at the ISC, we get plenty phishing emails: Reader submitted and those sent directly to us, from the nonsensical, incoherent jibber-jabber to those carefully and professional crafted. The recent Mandiant report [1] goes to highlighting that even the top end of attackers uses phishing emails, making awareness programmes [2] to anyone that has an email address something that needs tick off the to do list one of these days.
So what this got to do with breach notification emails? Glad you asked.
If you’re a security professional charged with protecting systems, networks or organisations your incident response plan should have a thought through section on communications before, during and after an incident. So if one or one million customer/user details suddenly appear on the you’ve advised on the pre-written notification email management/PR/marketing are about to send out right?
Tragically that doesn’t seem to be the case. If you received an “Oops! Some bad has happened to your account/details” email you may be shock (or not) to notice a hyperlink in the body of the email. Okay, so the link in this case is to make life easier; the link may direct to a reset password page, more information on what happen or even an apology. Here’s the but: With so many social engineered phishing emails why add a hyperlink at all? Why not stick with a clear statement to connect to the web site and follow the instructions on the /Security page.
For years we’ve being trying to teach anyone that will listen to do - at minimum - hover over the hyperlink and it looks suspicious then don’t click on the link, so why in such a crucial message does it suddenly become okay to drop a link in and expect the recipient to obediently click on it? 
No, it is not. It’s yet another way to desensitize and normalising bad practices in the sake of making the already exploited victim feel they have a quick way to fix their issue. In the best case scenario let’s pretend that when the recipient checks the link it, shows https: //\wearereallysorry\honest\passwdreset.html which matches the company that sent out the notification. Surely this couldn’t get any worst?
Oh, dear reader, you know better than that! Amazingly some notifications take that one step further and making an even bigger mistake. The hyperlinks in the email look something like this for our fictional site http://
Let’s pause for a moment and enjoying the pure insanity and listen to the sounds of the phishers , cackling incredulously then frantically rushing to be the first flood inboxes with cloned copies to take advantage of a second round of pillaging against those that have already been victimized. 
I can only subscribe this madness to marketing/customer relation team attempting to outsource the notification process and simultaneously track those poor souls that decide to click on the link in some form of lets see how many people this really hit so we can follow up with jolly marketing spam.
If you receive one of these poorly thought through emails, a polite, but firm, note to those that send it and their support desk asking if they think it looks like a phishing email and would they click on the link given you’ve lost my details once already? 
I’m going to protect the guilty parties that send out poorly conceived breach notifying hyperlinked email but if you become a recipient I’d heartily recommend you raise the issue and created a conversation to stop this madness re-occurring endlessly.
At NO point I am I suggesting flashy HMTL marketing designed emails with hyperlinks that link to an exact location or the perfect thing you have to buy should be banned or outlawed. Who doesn’t love knowing what great offers on the stuff you might possibly like some Cyber Cloud AI-like entity has picked for you? 
Breach notification emails telling something bad has happened and you need to take urgent action should require the victim to go to the web site by typing in the URL by hand, not this downward, spiring mistake of send them easy to use hyperlinks. As any good penetration tester will tell you “It only takes one click to own the network” [3] but remember there always a person behind that decision to click. Let get rid of one daft way of making a bad situation worse and ditch those hyperlinked breach notification emails.
[2] As an example

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: Notification phish
5 comment(s)


Thanks for YAIR (Yet Another Interesting Read;)

Slideshare appears to have broken the link to the -excelent- slides of Bryce Galbraith.

Fortunately the presentation mentioned can still be viewed through the following URL:
Surprised SGW notifications (S***!Guess What?) aren't mandated as TEXT only - even tired admins succumb to the odd image/html trick from time to time.
Excellent points couldn't be made clearer or louder
Wow, thanks for sharing that link, Erik. That is a fantastic set of slides. One thing that bit us on our last pen test was DNS tunneling. It is astounding to me just how ineffective IDS and IPS are in detecting this, no matter whose it is. Everyone is focusing on email, HTTP/HTTPS and the common protocols and DNS tunneling gives a reliable connection and even better, a low bandwidth connection that generally flies below the anomaly detection radar. Game over.
JJ, DNS tunneling is an excellent solution for the intruder seeking a stealthy protocol for communicating with his exploited machines inside a victim network.

But this matter of phishing is more about getting that initial exploit, right? Unless you know of a way to remotely exploit a machine using DNS tunneling.
I think you make a good point, Chris. Personally, I'm all for plain text email whenever possible. But I suspect many corporate communications departments assume that people will think nothing so simple and plain could come from a big corporate entity. They haven't really absorbed the new reality, which is that anyone with a PC and a bit of effort can make a website/email as slick as your fancy-looking corporate communications.

Diary Archives