Monday, September 17, 2007

Shame on Wells Fargo or Shame on Me?

Friday was a busy day, but I found a little time to check my gmail account. My peak performance brain has been trained to immediately key on certain words that appear in my inbox and classify them as threats, either phishing or spam. You know words such as “Alert”, “PayPal”, “Warning” and “eBay”? This time my brain tells my eyes to check out this email labeled “Wells Fargo Online Notification of New Legal Notices”.

There are three primary reasons why I am particularly interested in this email. One, I am a Wells Fargo customer. Two, I signed-up for email updates and regularly get emails from the company. And three, gmail typically does a great job of filtering out phishing attempts from my inbox. So I open the email.

The email looks legit to me.

A Phish is a Phish?
I have been training users for the last couple of years to NEVER click on a link in an email to a login page, then proceed to login. I assumed that this is a “best practice” to protect oneself from phishing. I am always skeptical. Did this email really come from Wells Fargo? I check the header of the email, looks good. I check the links, look good. I check the html code, still looks good.

This legitimate Wells Fargo email goes against what I thought were best practices in regards to phishing prevention. Being the concerned (paranoid) information security guy that I am, I emailed with the following:

date Sep 14, 2007 1:50
subject Fwd: Wells Fargo Online Notification of New
Legal Notices

To whom it may concern:

It appears that the email depicted below actually came from Wells
Fargo. The email contained links that went to your login page and
asked people to sign in. Wells Fargo should not be sending emails
like this to your customers! It goes against everything that we try
to teach people with respect to phishing.

Concerned customer

Surely Wells Fargo knows much more about phishing than I ever could, so am I wrong?
Read more!

Tuesday, September 11, 2007

Where Have I Been?

You may have been wondering where I have been for most of the last two weeks (maybe not!), and here I am to tell you.

I have started a new blog and have been spending much of my time creating content for it and getting it up to speed. The blog is "The Breach Blog" where I have been researching and providing commentary on breaches that have occured over the last month or so. I am motivated to share breaches with the public, provide insight from a security point of view, and give people a place where they can come and voice their opinions publicly. Basically, I get great satisfaction from helping people who don't know any better.

Information for The Breach Blog is compiled from a variety of sources including (but not limited to):

- The Data Loss Archive and Database (pioneers in breach disclosure)
- Privacy Rights Clearinghouse
- Google Searches
- News sources
- State government sites
- Victim emails

I hope that people from all walks find value in the information provided.

The Trusted Toolkit Blog will start to get more attention again soon as I begin to divide my time more and get more organized. I'll be back...
And here is the rest of it.
Read more!