I recently received an official-looking e-mail from a reputable security vendor asking me to participate in a survey....
As an incentive, it offered me a chance to win a prize. Titled "Increasing Security," the HTML-formatted message resembled the vendor's other e-mailings, including a corporate logo linked to its Web site and a banner bearing the name of its familiar newsletter. "Why not?" I thought, "Let's see what they want to know." I clicked the "Security Survey" link.
Titled "Product Development Study," the survey asked several security-related questions that I would expect from that vendor, so I proceeded to complete most of the form. My responses included a list of the operating systems in use here. Then, at the bottom, it asked for my personal contact information, purportedly for entry in the prize drawing.
"Wait a minute!" I thought, "Not only does this identify me, it also links my list of operating systems to a company name. Before I submit this, I'd better make sure that I'm on a secure connection." No, the URL did not begin with "https:" -- in fact, the form I almost submitted wasn't in the vendor's domain at all. It was at "surveymk.com," a domain unfamiliar to me. Surely a reputable security vendor wouldn't ask me to submit personally identifiable and potentially exploitable information via an unsecured link to an unfamiliar domain -- would they?
What about that e-mail I received? Was it legitimate? Although the "From" field used the purported sender's domain name, the "Reply-to" used "internetviz.com" -- another unfamiliar domain. Checking the header, I discovered that both the "From" and "Reply-to" fields had been spoofed. The actual server of origin was "shadow.imakenews.com" -- an ominous-sounding name indeed. Who works in the shadows and makes news in the security community? Hackers and phishers, that's who! Surely a reputable security vendor wouldn't conduct its business in such a shady manner. At this point I became convinced that it was a phishing scam, so I closed my browser without submitting anything.
The vendor whose good name had apparently been spoofed is a SearchSecurity.com advertiser, so I related my experience to an editor who contacted the vendor and learned, surprisingly, that the whole thing was legitimate. Checking my archives, I found that indeed, the vendor's newsletters used the same mailing service and spoofed addressing as did the survey invitation.
This case illustrates the need for legitimate companies seeking survey information to step back and look at what they're doing from the recipient's perspective, particularly when linking to a Web site that requests sensitive information. Such a request should present itself in a manner that leaves no doubt about its legitimacy. Today's savvier computer users rightly regard every unexpected e-mail with suspicion. The burden of proof lies with the sender: no spoofed addresses; no links to unrelated domains; and no vague subject lines. If you must spoof an address or link to an unrelated domain, explain it in the request, and do so in a manner that leaves no room for doubt. Also, be careful to use correct spelling and proper grammar; most scam artists do not.
I'd like to think that the vendor whose survey I discarded was testing its recipients to see if we'd fall for a possible phishing attack. How many of you failed that test? More likely, though, it was just sloppy work in an area that deserves more care.
About the author
Clay Ruth, is a software systems engineering manager.