Skip to main content

Surveys or Phishing Emails?

I was recently sent a survey from a well-known survey company (actually, on second thoughts, I'll name them: Capita) and it made me very cross. Why so cross? Well, I spend a considerable amount of time trying to educate people about their role in the security of the network and about phishing/social engineering. This is all undone by survey companies such as the one in question. See for yourself the email sent and use it as a template for future 'white-hat' testing.

Have your Say! Fill in your Staff Survey today!

Dear Colleague

It’s important to complete the Staff Survey to ensure your voice is heard! The purpose of the survey is to make further improvements to staffs’ working lives at Target Organisation.

Your responses will come direct to Capita Surveys & Research Unit, and will be totally anonymous. No one outside the research team – and certainly no one at Target Organisation – will know who has responded or be able to identify individual responses. The survey findings will be analysed by Capita Surveys & Research Unit and only aggregate results will be reported.

To ensure that you have adequate opportunity to participate, the survey closure date is date month year.

In order to participate in the survey visit:

https://sas.capitasurveys.co.uk/targetorganisation

and enter your password: AAdddd

If you have any queries or require support completing the survey please contact us at Capita Surveys & Research Unit on 0800 587 3115.

Yours sincerely

Cheryl Kershaw
Director of Surveys and Research
Capita Surveys & Research Unit

What's wrong with this? Many things! Phishing scams are on the increase and are one of the biggest threats to security at the moment. Targeted phishing, or spear phishing, is also on the increase and these surveys could easily fall foul of this type of attack. The survey emails are in a standard format with no personalisation. It appears as a classic phishing email, albeit with better grammar. It would be easy to exploit this 'legitimate' survey to ask for additional personal details. Points to consider:

  1. There is no personalisation – ‘Dear Colleague’
  2. The email doesn’t come from the organisation in question – staffsurveys@Capita.co.uk
  3. The URL does not point to the organisation in question – https://sas.capitasurveys.co.uk/organisationname
  4. There is no contact within the organisation presented in the email for confirmation – contact Capita Surveys & Research Unit on 0800 587 3115
  5. They do not use an EV SSL certificate on their site, only DV – QuoVadis Global SSL ICA certifying that this is sas.capitasurveys.co.uk, which could be a phishing site for all a user knows, as it isn’t certified to be Capita or Capita Surveys & Research Unit (see post on EV versus DV certificates)
This would be very easy for someone to impersonate, particularly if they register a similar URL, such as https://sas.crapitasurveys.co.uk/organisationname and then use masking as well. Users are being conditioned into clicking on links without questioning their validity. All I would have to do is know (or guess) that this organisation conducts surveys of this type from an organisation like this. OK, Capita suggests that organisations publicise the survey, but this isn't always done well and can be used to produce a fake version before the real one goes live.

It gets worse though. When I phoned Capita Surveys, a nice helpful lady called Liz told me who they were currently providing surveys for (I won't give out the organisation names here as that would be irresponsible, but if Capita would like to check with me I can prove this). It would be very easy to quickly knock up a copy of their site with a similar URL and registered SSL Certificate, add in a few extra questions, send those emails and wait for the information to roll in. Well done Capita! They say they take people's security seriously and that answers are secure because they use SSL. However, I would beg to differ.

Capita aren't the only culprit though; I was also recently sent a survey for Microsoft from Mori, which was just as bad. They have to take steps to ensure that their surveys can't be hijacked for targeted attacks. There are anti-phishing technologies and techniques available that, whilst not infallible, would help, so why aren't they used?
Labels:

Comments

  1. Andy Strauss13 December 2012 at 08:44

    Great post! I’m sure you worked really hard on this article and it shows. I agree with a lot of your material. I enjoyed this and I will be back for more.
    Online Survey Programs

    ReplyDelete

Post a Comment

Popular Posts

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post . How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't real...
Post a Comment
Read more

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most...
13 comments
Read more

Web Hosting Security Policy & Guidelines

I have seen so many websites hosted and developed insecurely that I have often thought I should write a guide of sorts for those wanting to commission a new website. Now I have have actually been asked to develop a web hosting security policy and a set of guidelines to give to project managers for dissemination to developers and hosting providers. So, I thought I would share some of my advice here. Before I do, though, I have to answer why we need this policy in the first place? There are many types of attack on websites, but these can be broadly categorised as follows: Denial of Service (DoS), Defacement and Data Breaches/Information Stealing. Data breaches and defacements hurt businesses' reputations and customer confidence as well as having direct financial impacts. But surely any hosting provider or solution developer will have these standards in place, yes? Well, in my experience the answer is no. It is true that they are mostly common sense and most providers will conform...
10 comments
Read more