Sophos Cloud Optix
With all the buzz about resetting your passwords caused by the “Heartbleed” bug, you can imagine what cybercrooks are thinking.
TIME TO GO PHISHING!
Fortunately, many people these days know to be careful of password reset emails, at least those that helpfully provide a link that takes you to what looks like a login screen.
But it’s easy to make a mistake.
If you were thinking, “Hey, maybe I should change my example.com password, just in case,” and then an email arrives claiming to be from example.com that takes you to a login screen that looks just like example.com…
…you could be forgiven for just following habit and trying to login.
Of course, if you aren’t actually on example.com, you’ve just given away your login details to a cybercrook.
(Now you really do need to change your password, on the real site, and pretty jolly quickly!)
The flipside of all of this is as follows: when you need to send a genuine password reset warning to your customers, please don’t put links to your login page in the email itself.
It’s much more convenient if you do give an easily-clickable link, and there is no technical or legal reason not to do so.
But from a behavioural point of view, it’s so much better if you don’t, because you aren’t softening up your customers up to click on the sort of links that scammers love.
Simply put, it’s a bad look.
If no legitimate sites ever put login links in their email correspondence, then deciding whether login links are good or bad becomes trivial: they’re bad, and that’s the end of it.
So we were a little disappointed, if not surprised, to receive a “Will you look at this?” message from Naked Security reader Paul, copying us in on a password reset email from popular Internet of Things website IFTTT.
IFTTT stands for “if this, then that,” and it seems to be a catchphrase for popularising simple computer programming concepts amongst non-programmers who own electronically tweakable devices – light bulbs, for example – that have traditionally been controllable only by someone in the room at the time.
Instead of saying to yourself, “I am entering my house; I’ll turn on the light in the passage,” you pre-program your intelligent light bulb controller with “IF my car enters the garage AND it is night THEN turn on the hallway light.
In a world where your car, your garage and even the individual light bulbs in your house are online, you’d think that following security best practice would be more important than ever.
And you’d be right, making it a pity that IFTTT, of all online communities, sent Paul one of these:
We admit that all the signs are there to help you realise this is legitimate, from the URL you see when you hover over the link in the email to the HTTPS certificate of the login screen to which the link takes you.
So this isn’t an egregious error, or even, if the truth be told, a terribly dangerous one.
But we’d like to urge any of you who are thinking of sending out “heartbleed” password reset emails: please avoid those login links.
Help us to help everyone get geared up to avoid phishing attacks.
Image of Gone Fishing sign courtesy of Shutterstock.
Just had an email from Pinterest regarding this issue with a suggestion to change passwords – complete with a nice ‘reset password’ link.
Me too. Not taking any chances.
I recieved an email supposedly from Bitcasa, which had exactly the same. When I say supposedly it’s because I couldn’t figure if it was Bitcasa being amateurish or a clever phisher with a sense of humour.
The link leads to a bitcasa.com sub-domain – links.bitcasa.com – so I guess it’s legit, but wouldn’t wanna try my luck as the email in general looked dodgy with a weird return path.
Instead I decided to delete my account, which I had never used since I first tried it out. That turned out to be a challenge as they have no visible clues on how to do it.
After applying some duckduckgo-fu I found a link to their support forums – where I had to create an account (!) to read and article explaining that you have to send a support ticket with the subject “Delete my account.” Brave new IT world 😉
Much to my surprise I actually got an automated answer asking me to confirm the deletion by replying. Still waiting for a response to that though.
The funny part:
The HTML version of their initial mail looked very professional – besides the link part – but the plain text version was very different. The quote below is the entire plain text part:
—8<—-
Last Chance to Save 35%
Seriously, this is your last chance.
Dave doesn't work here
i gotta check out the brochure, nom nom nom nom .
We love Curry Fries
Curry fries are good, get in my belly yum yum yum yum.
-Bitcasa Team
—8<—-
Chilli goes better with fries (chips) than curry!
My guess would be that someone just put some placeholder text in while testing…and then, ah, forgot to remove it. And my advice would be, “Don’t do that.”
If you must have placeholder text, in documents, emails, code strings, and so on, use something that will not leave you with egg on your face or nearly mean something incorrect or misleading.
There are many lorem ipsum [qv] generators on the web that can give you realistic looking (Roman) text that helpfully has no meaning that might add to your embarrassment if you accidentally publish it.
Hmmm. All the web server folks are running around screaming “Change your password! Change your password! The sky is falling.”
But the credit card folks (who have much more skin in the game) aren’t saying a thing.
Do you hear anyone crying wolf?