Security Experts - what do you think about this situation?

Factual Questions
1

Suppose that an organisation of which you are a member sends you a mail which says “We need your bank details so that we can send you money we owe you. Please click the link in this message to go straight to the screen where you can enter bank details”.

Also:

a) They legitimately do use your bank details to send you money as part of their business model, but…

b) They already have your correct bank details and have been successfully sending money to you for over a year

c) The link (yes, I clicked it … I live on the wild side. No, obviously I did NOT go prepared to enter any information about myself whatsoever) does in fact correctly go to the appropriate page of the organisation’s website, which is clearly not spoofed. But the link also contains about three lines of unreadable encoded text which could be doing just about anything.

What is likely to be going on here? Just a case of the helpdesk lefthand not knowing what the programming righthand is doing? Or is it possible for an exploit to rewrite the code on target-organisation’s website so that if you do enter information after clicking the link, it funnels back to a third party?

Organisation in question doesn’t seem to think they have a problem, but I think they have a problem (not least that my email to them querying all this seems to have been answered by a random helpdesker, not an actual security expert, and then closed with a breezy “oh, I’m not sure why we sent you that mail but don’t worry - we do already have your details on file!”)

2

I’d say it is spoofed. Scammers are known to create replicas of bank (and other) sites

3

Verifying that the link really goes to the organization’s web site is not entirely trivial. Did you verify that it’s an https link, that the domain name is correct, and that all of the characters in the domain name are ASCII (to avoid a homograph attack)? Of course with enough effort anyone can set up a web site that appears to be some other legitimate web site.

A third party could modify the code on the real organization’s web site only if their web server has been breached. That’s possible but is I think one of the less likely possibilities.

4

What I did (and I hope this procedure didn’t leave me vulnerable, but I think that my policy of “entering no information at all” kept me secure enough) was to click the link and observe that it opened (on my usual browser) the finance details of my account at that org, where I observe my bank info was recorded correctly.

I then logged out of the account on that browser, clicked the link again, and it took me to the login page (which I then exited without putting in any details, of course)

Homograph attack is a good idea that I hadn’t thought of though. But I think it can’t have been that, because the first experiment served up info that a phisher couldn’t possibly have (because if they did have it, they wouldn’t bother sending a mail in the first place)

The mechanism I wonder about (possibly in an over-paranoid way) is whether a link could serve you up information that was legitimately from the target organisation but rewrite the javascript on that page so that any information you entered was then sent to the phisher, not the target org

5

Put in nonsense login details. If you get to the next page, it’s obviously fake*

(*I’m nearly 100% sure it’s fake already, based on your description of what it is)

6

Under normal circumstances, the only way to layer malicious code over a legit website is if either the server, or your machine are compromised in some way.
I suppose there can be man-in-the-middle type attacks where you are presented with a fake page, which is relaying everything you enter to the real page, and relaying the responses back to you, but in these cases, it should still be possible to determine that you are not at the correct URL - either because it just looks wrong, or doesn’t have a legit certificate

7

I wonder how you reach that conclusion. I’m nearly 100% sure it’s NOT fake, based on the fact that the page contained private banking details that a fake site would have no way to get (and would not need the user’s participation if they already had it). Although if the email originated from the real organization I’m puzzled by it asking for information that the real organization already has.

At this point I would examine the original email in more detail, looking at the Received chain to confirm where the email originated. It should be possible to determine who sent the email this way. It’s possible it’s a spoofed email that happens to contain a link to the real organization’s site, although what the purpose of such an email would be is not clear to me.

8

I don’t have a GQ answer per se, but IF it’s an https link, and IF you’re using a modern, up to date browser, it’s unlikely to be any kind of phishing attack.

Note the fact that you saw your actual information after clicking the link is not evidence alone of it being legitimate. Man-in-the-middle attacks can pass your credentials on to the real website and then display the results to you, or even simply log your credentials for later use and then redirect you to the real website without you knowing.

Since you didn’t enter your credentials the first time, the site is using a cookie to log you in. Your browser will only send a cookie from domain X with requests to domain X, so for instance, that wouldn’t work with a homograph attack. The attacker would need to have compromised your DNS resolution somehow, which is unlikely in this case, especially if you’re at home.

Regarding the extra characters in the link, IF it’s an https link, then those characters are going to be encrypted between your browser and the organization’s server. I suppose there could be a vulnerability in the organization’s site code that converts the query string to executable code, but… we’re sort of getting into very unlikely scenarios here.

IF it’s an https link, and IF your modern, up-to-date browser isn’t screaming alarm bells at you, then it stands to reason that the url matches the ssl certificate of the website, and the ssl certificate was signed by trusted root authority, and everything is most likely just fine.

My guess is that the extra characters are for tracking receipt of the email, so when you log in they can tie that login to a specific action on their end (sending you said email). As I’m sure you already know, putting a link to your account in an email is not “best practice” for precisely this reason. They should be informing you of what you need to do, and then leaving it up to you to navigate to the website via some other means. But there’s a trade off between security and convenience, and if they’re letting you log in with a cookie, they’re leaning towards convenience on things already.

9

I’m not following this. The OP said they just clicked on the link and saw their private information. They didn’t manually log in, so if it’s a man-in-the-middle attack, where did it get the credentials to pass on to the real web site?

10

From the cookie where the user authentication token would be stored. Upon receiving the cookie from the browser, the man-in-the-middle could pass that cookie onto the real website and then pass the results back to the browser.

Obviously there are mitigations for this and SSL makes it difficult/unlikely, but a properly executed man-in-the-middle attack will be transparent to the user, so simply seeing what you’re expecting to see when you access a website is not, in itself, evidence that a man-in-the-middle attack is not occurring.

11

How could the fake site access the cookie for the real site?

Oh, I just reread your post and you’re assuming a DNS hijack as well. I’d say this combination of attacks is extremely unlikely.

12

Or, display the bank page correctly in the browser, the normal way, but in a window, as a method of injecting cross-site javascript. In it’s simple forms, this is, like the other man-in-the-middle method, prevented by https if you are paying attention.

13

It could reasonably be legit. Some companies remain just plain stupid and actually do send out emails like this. I was doing some work a few years ago for a local university owned high performance computing service group. They sent out an email to every user (mostly to dopey academics*) requiring everyone to change their password. And included a link. Insane. It was exactly a simple phishing attack email in every form, except that it was legitimate. I got straightforward hostility from everyone involved, including the manager of the IT group who made comments about tinfoil hats when I raised this. They weren’t the sharpest knives in the draw.

A more nefarious phishing attack would send you multiple emails that have a legit link in them, building trust that they are to be trusted. Then they send out emails with the bad link, and expect that many users won’t be suspicious when presented with a login screen even if they were already logged in.

*Dopey Academic is usually one word. It is astounding how useless many are once outside their field of expertise. Phishing attacks can find fertile ground in universities.

14

Thanks for everyone’s replies.

I’m leaning towards thinking that it was probably a legitimate email, scripted by someone who did a Dumb Thing ™ and messed up the database query telling them which users in the system ought to be getting the mail.

I did think to myself ‘well, THIS is why you don’t send mass mails to your clients with clickable links to secure pages!’ so glad to have that intuition confirmed by others in the thread too

15

My default position is to distrust. This case might be genuine, and I might be wrong, but if this was happening to me, an email saying “We need your bank details so that we can send you money we owe you. Please click the link …” fails right there to win my trust. It doesn’t matter what happens after that.

16

My bank regularly sends me emails warning me that they will never send me a link in an email. I repeatedly remind my family to never click such links whoever they say they are.

17

My bank sends me an email telling that there is a new message for me on their web site and ask me to log in. No links whatsoever in the message.

Same goes for medical care and various other information sensitive sites I use.

18

This was my guess too, based on the data. I’ve seen American Express do this! Talk about folks who should know better…

19

In defense of the organization in question here, based on what the OP says, it’s not a bank, but rather an organization that makes payments to their bank and saves that banking information. It could just be the account and routing numbers, which are of course printed on every check you hand out. I don’t believe there’s a lot you can do with that information, other than give people free money, but I’m out of my element here – while I have to understand web security as part of my job, I don’t deal with financial information.

Banks by and large don’t include links in their emails, but lots of websites do, and that’s probably fine for a lot of them. The SDMB for example, I wouldn’t see a huge issue with.

20

Not a security expert but I never respond to anything directly in a circumstances like this, instead I contact the alleged sender via a reliable communication channel not listed in the email.

So in this case just email/call your HR/payroll people directly using the email/number from the company directory not the one in the email.