Showing posts with label e-mail. Show all posts
Showing posts with label e-mail. Show all posts

Tuesday, November 17, 2015

Krebs on Security: Chipotle Serves Up Chips, Guac & HR Email

Posted by at No comments:
Chipotle Serves Up Chips, Guac & HR Email
Brian Krebs, November 15, 2015

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain "chipotlehr.com" — a Web site name that the company has never owned or controlled.

Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain "chipotlehr.com". Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

Wow. Read on to learn the extent of their incredible ineptitude. They apparently have no problem with:

  • Sending mail with a return address that nobody owns
  • Sending out official HR mail with a bogus return address
  • When informed that this is a security problem (and that some third party has registered the domain and is actively receiving mail intended for Chipotle HR) they still don't care because it's supposed to be a bogus return address.
  • When the person who registered the domain offered to give it to them for free, they declined

You would think that somebody somewhere in their IT problem would see this as a problem, but apparently not.

Krebs links to another article from 2008 about someone who registered donotreply.com in order to capture all the mail sent to what corporations assume to be a bogus domain. Some of the mail captured has been highly sensitive business and financial information. All because a company can't be bothered to use a real mailbox (or at least their own domain) as a return address in their outbound e-mail.

If it wasn't real, it would be really funny.

Labels: , , ,

Monday, February 23, 2015

Stupid spam/scam

Posted by at No comments:
I noticed this amusing bit of spam in my spam folder today (some headers stripped away. I'm only including those I'm using to make my point):
To: (my e-mail address)
Subject: (first 4 letters of my e-mail address), Notice to Appear in Court
From: "State Court" <support@electricgroovecrusade.com>
Reply-To: "State Court" <support@electricgroovecrusade.com>

Dear (first 4 letters of my e-mail address),

You have to appear in the Court on the February 19.
Please, do not forget to bring all the documents related to the case.
Note: The case may be heard by the judge in your absence if you do not come.

The Court Notice is attached to this email.

Yours faithfully,
Angel Denton,
Court Secretary.

Attached to this mail is a zip file named "Court_notificaton_#####.zip" (where #### is a bunch of digits I can't be bothered to re-type.) I didn't download it, but I think we can be 99% certain that this attachment, when opened, will install malware on your computer.

So let's see how stupid you would have to be to fall for this spam. In order to trust the source and believe it is important to open this zip file, you would have to believe:

  • That a legitimate court will issue a summons via e-mail
  • That such a summons will not identify which court it is that is issuing the summons
  • That a court will issue a summons without your name on it, preferring instead to make up a fake name based on your e-mail address.
  • That despite not knowing my name or address, they somehow know my e-mail address.
  • That a court is going to send official correspondence from domain belonging to Electric Groove Crusade (a rock band whose web page has had nothing more than a "coming soon" message since 2010) and not from a domain that actually belongs to the court.

Labels: , ,

Wednesday, July 30, 2014

Naked Security: Anatomy of an iTunes phish

Posted by at No comments:
Naked Security: Anatomy of an iTunes phish – tips to avoid getting caught out

... We often forget that many things are "obvious" only with experience, meaning, in fact, that they're not really obvious at all.

That's why we do phishing walkthroughs fairly regularly on Naked Security.

The idea is to step you through a typical email phish, pointing out the telltale warning signs in the original email and the web pages that follow, so you know what to look for in future.

So, even if you'd back yourself to spot a phish every time, here's a step-by-step account that might help to save your friends and family in the future. ...

Read more »
Labels: , , , , ,

Friday, April 11, 2014

IETF: Yahoo breaks every mailing list in the world including the IETF's

Posted by at No comments:
h/t Hacker News

Yahoo recently upgraded the "security" of their mail servers in an attempt to curb spam. Unfortunately, they decided to use a protocol that is still under development, has serious known problems, and they configured it for maximum paranoia. The result is that they reject nearly all mailing-list traffic (legitimate or otherwise) that comes from a Yahoo user, potentially crippling the lists themselves. (Except for lists hosted by Yahoo's own servers, of course.)

Read more »
Labels: , , , , ,
Subscribe to: Comments (Atom)