Earlier today I received a concerned e-mail from my girlfriend, who thought she may had been the target of an attempted cybercrime. Below is a screenshot of the e-mail:
As a security professional, my immediate reaction was to provide counsel on safe e-mail practices as I read through what appeared to be a legitimate security notification regarding a brute force attempt on her account. As I continued reading, I noticed a conspicuous lack of links, misspellings and poor grammar – again suggesting a legitimate source. My next step was to inquire about the strength of the password that she had been using on this web site, and how recently it had been changed. All evidence to this point suggested that this was indeed someone attempting a Lindsey Lohan-esque attack, albeit less successful (as far as I could tell so far).
Now it was time to dig a little deeper, as at this point we hadn’t really made any determination as to the success of the alleged attack.
As I went through the source code for the e-mail looking for suspect links or domains, I asked her to go directly to the Upromise web site and attempt to log in. Normally I would have asked her to log in from a PC that she doesn’t typically use, but she was at work and didn’t really have that luxury.
As it turned out, her account was not locked.
After requesting that she change her password and log out, I continue my research. The source code showed no signs of malice, so I called the 800 number that was provided. My Call was answered by an interactive voice system claiming to be a Upromise that was “experiencing a higher than usual call volume”. A dead-end number – was it real?
After digging through an e-mail, source code, a web site, changing a password and calling the company’s 800 number, I still could not confirm the legitimacy of any of this.
Was this a sophisticated phishing attack that incorporated offline voice? Was the company’s DNS compromised such that valid domains were poisoned? And did they get money from my girlfriend’s account?
Like any good cliffhanger, you’ll have to wait until next time for the conclusion to this story. But there’s a lesson here; as the headlines of databreaches, malicious insiders, corporate failures and compliance penalties pile up, we are slowly learning to distrust the systems, applications, networks and technologies upon which we base our digital lives. As technology continues to occupy more of our day, so does distrust. It’s a dangerous cycle that will be difficult to stop without a change in our collective security mindset.
If Upromise to, Ipromise to.