Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.

A few days ago, I received an automated email message from the “Starwood Preferred Guest” program which began, “Thank you for contacting Starwood Preferred Guest.” Except I hadn’t.

I assumed that a spammer had sent spam with my return address to Starwood, so I just ignored it.

However, later that day, I received this message from Starwood:

Dear Jonathan Kamens,
Thank you for contacting Starwood Preferred Guest. I hope this email finds you well.
I must apologize but I am unable to determine exactly what your inquiry is regarding. If you would please reword your question or add more detail we would be pleased to assist you.
We are always available to assist you; feel free to chat with us online, have us call you, or if you prefer, simply reply to this email. Have a lovely evening.

Best Regards,

[name elided]
Specialist, E-Communications Department
Starwood Hotels & Resorts Worldwide

Original Message Follows:
————————
SPG Number: *******24
Subject: Benefit Clarifications
Comments: In the moment two persons must give me money they are Ingrid Betancourt and Guy André-Kieffer these two persons must give me two milliards [sic] of dollars.
First Name: Diallo
Last Name: Mamadou Oury
Email Address: jik@kamens.brookline.ma.us
Membership Level: E

Note that whoever wrote to Starwood (through a form on their Web site, I suspect) gave the name “Diallo Mamadou Oury”, but when Starwood wrote back to me, they used my real name! I thought at the time that they must have looked up my name from my email address, since I was at one point a member of the Starwood program, but I just called their customer server number and asked them to look up my account by name or email address, and they were unable to do so. I just sent them an email message asking where they got my name from; I will update this blog entry when I hear back from them about it.

Note also that Ingrid Betancourt and Guy André-Kieffer are real, prominent people. Bizarre!

Anyway, I wrote back to Starwood and told them that somebody was clearly just misusing my email address, and they should ignore it. I thought that was the end of it.

Now it gets crazy.

Earlier today, I got this from Google:

Congratulations on creating your brand new Gmail address,
ibsondao.mamadou331@gmail.com.
Please keep this email for your records, as it contains an important verification code that you may need should you ever encounter problems or forget your password.

You can login to your account at http://mail.google.com/

Enjoy!

The Gmail Team

Verification code: [elided]

If you didn’t create this Gmail address and don’t recognize this email, please visit: http://mail.google.com/support/bin/answer.py?answer=62400

WTF? What benefit would someone get from creating a Gmail account and using someone else’s email address as the recovery address?

Thinking fast, I immediately used the fact that this person listed my email address for recovery to change the account’s password and security question. So whatever he was intending to do with this account, which I honestly can’t imagine, he isn’t going to be able to.

Note that whoever created the Google account gave the name “Diallo Mamadou”, which matches what he gave to Starwood, but doesn’t match the email address he chose, where he instead used the name “Ibso Ndao Mamadou”.

So, does anybody have any ideas about what’s going on here?

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.

I then contacted the president of Sandvik. He insisted that Sandvik also does not sell email addresses, and that it was simply impossible that my address could have been leaked through them, since the only place they have it is on a USB drive locked in a safe. They said it was more likely that the address was stolen by someone from my mail server or computer.

I explained in response that the the only place this address could be found on my computer was in a three-year-old, compressed email archive in a totally non-standard location in my home directory, and that I ran my own Linux mail server which I actively monitored on a daily basis, which had never shown any evidence of any sort of successful intrusion, and which in any case was hardly an attractive target for spammers to go to the trouble of harvesting email addresses from, since it serves only the people in my family.

For this, and various other reasons I pointed out, it was far more likely that the address had been stolen at some point from Sandvik. I also pointed out that the data breach laws in many of the states in which Sandvik does business would seem to require Sandvik to initiate an investigation into the breach and/or to report it to various state governments. At this point, Sandvik, too, stopped responding to my emails.

There’s really no way of knowing whether my email address was actually stolen from Scholastic or Sandvik. I don’t save mail server logs back far enough to know when I first started getting spam at that address, and even if I did, there’s no guarantee that spammers would have started using the address immediately after getting their hands on it, nor is there any guarantee that Scholastic completely destroyed the data immediately after selling the business to Sandvik. Scholastic and Sandvik both refuse to acknowledge the possibility that email addresses and possibly more PII were stolen from them, and it’s unlikely that a nobody like me would be able to convince them to take this more seriously, so I stopped trying.

I’d like to contrast the poor handling of the email address breach by Scholastic and/or Sandvik with an email message I just got from Brookstone:

++++++++++++Important E-Mail Security Alert++++++++++++

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

It turns out that the provider who leaked Brookstone’s address list was Epsilon, and they also leaked the lists of a bunch of other clients, many of them more frightening (because of the risk of spear phishing attacks) than Brookstone. See Krebs on Security for details.

It’s unfortunate that Brookstone allowed a breach of email addresses and the first names associated with them, because spammers will use the first names to help them evade people’s spam filters and execute more convincing and successful phishing attacks. Having said that, Brookstone deserves a great deal of credit for sending out this notification. Furthermore, if the timeline in the notification is true, then they sent it out two days after being notified about the breach, which is all the more impressive.

Update [4/5/2011]: I’ve now also been contacted about the Epsilon breach by 1-800-FLOWERS.COM and Walgreens. Woohoo!

Update [4/6/2010]: Add Chase to the list. It’s sort of sad that it took Chase, a bank, three days longer to notify me than Brookstone, a high-end luxury toys merchant.

(click for full-size image)

Devious, eh?

Needless to say, I did not participate in the “anonymous survey.”

]]> http://blog.kamens.us/2010/12/17/devious-domain-typo-hijacking/feed/ 0 http://blog.kamens.us/2008/07/30/fascinating-phishing-attack/ http://blog.kamens.us/2008/07/30/fascinating-phishing-attack/#comments Wed, 30 Jul 2008 19:15:27 +0000 jik http://blog.kamens.brookline.ma.us/~jik/wordpress/?p=241 A phishing message in my spam folder caught my eye today, so I decided to take a closer look at it.

It claimed to be from CapitalOne.  It had a legitimate sender address, a legitimate Subject line (“Please Call Us Regarding Recent Restrictions”), and convincing-looking content that was mostly lifted straight from a real CapitalOne email message.  Most importantly, all of the links in the message were legitimate links pointing at capitalone.com URLs.

The only text in the message that was not boilerplate was this:

Please Call Us Regarding Recent Resctriction [sic]

This is not a promotional e-mail. Please call us immediately at (866) 496-5027 regarding recent activity on your Capital One Card. We’re available 24/7 to take your call.

Please disregard this e-mail if you’ve already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
Capital One Card Fraud Prevention Security Department

Here’s what makes this phishing message different from others I’ve seen: the “hook” is the phone number, not the links in the email body.

Here’s what you hear, recited in a female computer-synthesized voice, when you call the number shown above:

Welcome to the the card activation center.  Please remember that we will never ask for your personal information such as your social security number, passwords, card numbers, etc. via email.  Please enter your card number followed by the pound key.

[doesn't matter what you enter here]

Please enter your personal identification number associated with this card followed by the pound key.

Please enter your four-digit expiration number [sic] (months year) followed by the pound key.

Please hold while your card is activated.

The card number, personal identification number or expiration date doesn’t match with our records.

[starts over]

Obviously, whoever set up this toll-free number is collecting card numbers, expiration dates and PINs, which they will then either sell or use to obtain cash advances from ATMs.

I wish there were somewhere I could report this scam to get the toll-free number taken down, but I honestly have no idea who would be interested in doing something about this and able to act quickly.