security alert 0 Posted March 3, 2013 Share Posted March 3, 2013 I received a highly suspicious Phising email this morning. It claimed passwords needed to be reset. DO NOT CLICK ANY LINKS IN THAT EMAIL! (If you fully read the email, you'll note that it was a direct copy from an existing Evernote email, where they specifically warn you to NEVER CLICK A LINK IN AN EMAIL. The attacker had then modified the email to insert links well above the warning that they didn't even read.) If you hover over a link you'll notice it redirects to a non-evernote web site. It then asks you to ENTER YOUR CURRENT PASSWORD. If you have entered your password, you should consider yourself compromised. Had this been a serious alert from Evernote, you would have been instructed to visit Evernote from your Bookmarks, or enter it directly. At that point you should have seen a link to reset your password via email. Remember people, NEVER BLINDLY TRUST AN EMAIL. They are easily forged and companies already have established policies to verify your identity through established email accounts. You may wish to reset your password immediately, especially if you have clicked a link in the aforementioned email. Link to comment
BurgersNFries 2,407 Posted March 3, 2013 Share Posted March 3, 2013 I received a highly suspicious Phising email this morning. It claimed passwords needed to be reset. DO NOT CLICK ANY LINKS IN THAT EMAIL! (If you fully read the email, you'll note that it was a direct copy from an existing Evernote email, where they specifically warn you to NEVER CLICK A LINK IN AN EMAIL. The attacker had then modified the email to insert links well above the warning that they didn't even read.) If you hover over a link you'll notice it redirects to a non-evernote web site. It then asks you to ENTER YOUR CURRENT PASSWORD. If you have entered your password, you should consider yourself compromised. Had this been a serious alert from Evernote, you would have been instructed to visit Evernote from your Bookmarks, or enter it directly. At that point you should have seen a link to reset your password via email. Remember people, NEVER BLINDLY TRUST AN EMAIL. They are easily forged and companies already have established policies to verify your identity through established email accounts. You may wish to reset your password immediately, especially if you have clicked a link in the aforementioned email. While I would encourage people to go directly to the Evernote website (or any website such as a bank, credit card, etc) to change their password rather than click a link in an email, are you sure this is not a legitimate email...??? Did you read any of the hot topics in the forum discussing this? What you describe is exactly the protocol for the recent forced password change by Evernote. Link to comment
security alert 0 Posted March 3, 2013 Author Share Posted March 3, 2013 Yes, I'm not 100% "convinced" the email is legitimate. Here's the first reply line from the header:Return-Path: <[snipped]@bounce.evernote.mkt5371.com> You should NEVER TRUST a company name in an address if it's not immediately before the very last dot (or period) in the name. In this case, a hacker from "mkt5371.com" can set up bogus emails claiming your Microsoft, or Apple or any other account was compromised. Seeing something like:apple.mkt5371.comormicrosoft.mkt5371.com does NOT MEAN the email came from the company you think it did. There is a HOT Topic on the forums, and I did read the first page of the 100+ replies. Nothing helpful was there. In fact, the email can be taking advantage of another security flaw. This may be a coordinated attack where the email is stealing login information during another breach. Lastly, releasing the mail on a Sunday means that the lowest level of staffing at Evernote is available or aware, particularly the senior level. Those managers would be most educated on phising activity and they would also be most likely to have the day off. Link to comment
BurgersNFries 2,407 Posted March 3, 2013 Share Posted March 3, 2013 Yes, I'm not 100% "convinced" the email is legitimate. Here's the first reply line from the header:Return-Path: <[snipped]@bounce.evernote.mkt5371.com> You should NEVER TRUST a company name in an address if it's not immediately before the very last dot (or period) in the name. In this case, a hacker from "mkt5371.com" can set up bogus emails claiming your Microsoft, or Apple or any other account was compromised. Seeing something like:apple.mkt5371.comormicrosoft.mkt5371.com does NOT MEAN the email came from the company you think it did. There is a HOT Topic on the forums, and I did read the first page of the 100+ replies. Nothing helpful was there. In fact, the email can be taking advantage of another security flaw. This may be a coordinated attack where the email is stealing login information during another breach. Lastly, releasing the mail on a Sunday means that the lowest level of staffing at Evernote is available or aware, particularly the senior level. Those managers would be most educated on phising activity and they would also be most likely to have the day off. I'm pretty sure this is a legit email. If you read the threads, it's clear EN (senior levels) are on it. It's good to be cautious, if one thinks an email is phish. OTOH, it's equally bad to caution people to not pay attention to an email like this. As I said before, IMO, it's best, when confronted with something like this, to not click the links but rather go directly to the website for more information. Link to comment
security alert 0 Posted March 3, 2013 Author Share Posted March 3, 2013 Exactly correct. Always be cautious. Never be lazy. Type the name yourself, or use your old bookmark. In this particular case, hackers right now can be sending out millions of these emails changing the link to their own site. Many email systems display the most recent email first, so the duplicated phising email may be viewed before the one Evernote might have sent. I'm suddenly saddened to think that the email was legit and absolutely destroyed my confidence that Evernote has a Chief Security Officer, or at least one that has expertise in this area. Link to comment
BurgersNFries 2,407 Posted March 3, 2013 Share Posted March 3, 2013 Exactly correct. Always be cautious. Never be lazy. Type the name yourself, or use your old bookmark. In this particular case, hackers right now can be sending out millions of these emails changing the link to their own site. Many email systems display the most recent email first, so the duplicated phising email may be viewed before the one Evernote might have sent. I'm suddenly saddened to think that the email was legit and absolutely destroyed my confidence that Evernote has a Chief Security Officer, or at least one that has expertise in this area. I don't know why this would shatter your confidence. Hacking is a part of today's world & a moving target. To modify an adage, "It's not a question of *if* you'll be hacked, but rather *when*". I think there are things EN could have done better. Sending out 45+ million emails to alert users takes a long time. OTOH, it's the most reliable method of contacting everyone, since not everyone reads Gizmodo or is on Twitter. But they could have done something on the home page earlier or maybe something more noticeable on the message board. But overall, I think EN has done very well in identifying the problem, fixing the problem & forcing password changes. Link to comment
security alert 0 Posted March 3, 2013 Author Share Posted March 3, 2013 Sadly, my confidence is much lower, mostly because my secondary training tells me that Evernote bungled this response. If I understand correctly, the link took you to a site asking for your current ID and Password.If I sent you the same email, but changed the link to:evernote.5371mkt.comand asked for the same info, I no longer have to brute force your salted password. You handed everything to me. Therefore, a well planned attack only needs to make Evernote 'think' something happened. From there, the rest is very easy. Keep in mind that if you are ever targeted for hacking, you have already lost. That does not forgive using a security response plan that wouldn't pass the first level of an audit. Link to comment
Level 5* JMichaelTX 4,117 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Is This EMail from Evernote, or is it PHISHING? On Saturday, I received this email, which, at first glance, appeared to be a legitiment email from Evernote. However, after closer examination it looks suspicious. When I hit the Reply button I get: From: Evernote Team <team@email.evernote.com>Reply-To: "team@email.evernote.com" <team@email.evernote.com>Date: Sat, Mar 2, 2013 12:51 PMTo: <my evernote account email address>Subject: Evernote Security Notice: Service-wide Password Reset However, the links in the email do NOT go to Evernote. They go to mkt5371.com Here's an example: Link to comment
Level 5* GrumpyMonkey 4,319 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Is This EMail from Evernote, or is it PHISHING? On Saturday, I received this email, which, at first glance, appeared to be a legitiment email from Evernote. However, after closer examination it looks suspicious. When I hit the Reply button I get: From: Evernote Team <team@email.evernote.com>Reply-To: "team@email.evernote.com" <team@email.evernote.com> Date: Sat, Mar 2, 2013 12:51 PM To: <my evernote account email address> Subject: Evernote Security Notice: Service-wide Password Reset However, the links in the email do NOT go to Evernote. They go to mkt5371.com Here's an example: It is not phishing. It is the legitimate email from Evernote using another service. It is confusing, and Evernote staff have acknowledged it. I took the liberty of merging your thread with this existing one. Link to comment
Level 5* GrumpyMonkey 4,319 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Here is a link to dlu's post on this.http://discussion.evernote.com/topic/35560-how-evernote-should-have-responded-to-security-issue/?p=192841 Link to comment
Level 5* JMichaelTX 4,117 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Once again, EN let marketing needs outweigh the right thing to do. Clearly there was NO need to have any links in the EMail. Link to comment
Level 5* GrumpyMonkey 4,319 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Once again, EN let marketing needs outweigh the right thing to do. Clearly there was NO need to have any links in the EMail. LOL. Well, I think Dave Engberg would agree, because that is what he wrote in his email with links! As I understand it from dlu's comment, this caught them at a bad time, and they made the best of the situation by sending out the email this way. It makes sense that they have to rely on a specialized service to contact their users, because I am not sure that 50 million email addresses would fit into my CC field. Anyhow, it shouldn't happen again, if I am understanding dlu's comment correctly: "We used to send our announcements through software we run locally, but we're in the middle of a switch to SilverPop for delivering newsletters and announcements. They were the only way we could deliver 40 million emails in less than 24 hours, and we didn't have the experience to configure that mailing the way we should have. In the future, we'll absolutely make sure that we don't send similar emails with sketchy-looking links." Link to comment
Level 5* JMichaelTX 4,117 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 GM, I have no issue with EN using a 3rd party service to delivery the emails. The issue is that links were in that email to domains other than Evernote.com. The email could easily have been crafted WITHOUT any links, directing the user in TEXT to go to the Evernote.com web site and change their password. The links were there so that marketing could track user response. Link to comment
Level 5* GrumpyMonkey 4,319 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 GM, I have no issue with EN using a 3rd party service to delivery the emails. The issue is that links were in that email to domains other than Evernote.com. The email could easily have been crafted WITHOUT any links, directing the user in TEXT to go to the Evernote.com web site and change their password. The links were there so that marketing could track user response. I think we agree. The links should not have been there. They were probably not surreptitiously put there by marketing, but were in that form so that Evernote could get a sense of how many people read the emails and responded to them. Again, I don't think the links should have been there, and the text of the email even says not to clink on links like that, so clearly this could have used another proofreading session before it went out. My guess is that (as dlu said) this will not happen again. Link to comment
Level 5* JMichaelTX 4,117 Posted March 4, 2013 Level 5* Share Posted March 4, 2013 Unfortunately this seems typical these days of Evernote's QA and debugging process. Sorry, but I just find this sloppy. In times of emergency, you always have to make sure what you do doesn't cause more harm than good. How could the person that wrote the email text that states "don't click on email links" allow an email to go out with links??? It's called due diligence of your own work -- seems rare these days. I have been responsible for sending out broadcast emails in the past. A cardinal rule is that you always make a test run that includes several different people who have NOT read the draft to make sure nothing is overlooked. Link to comment
BlueOak 26 Posted March 5, 2013 Share Posted March 5, 2013 FYI, this thread was linked from a user comment on the Sophos story about the silliness of warning users not to click on password reset links in emails whilst including exactly such a link in the same email... (@Security Alert, are you @Conerned over on Sophos?)http://nakedsecurity.sophos.com/2013/03/03/evernote-reset-password/ Link to comment
Level 5* gazumped 11,652 Posted March 5, 2013 Level 5* Share Posted March 5, 2013 Now that's a good, balanced article - Sophos says "This was just carelessness on Evernote's part.." and "You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that" A sober analysis, without dramatics, of just what happened - and Evernote have already accepted they should have done better. Link to comment
dlu 628 Posted March 5, 2013 Share Posted March 5, 2013 We apologize for the confusion caused by the mysterious url in our email to some users advising them to change their passwords. We had just initiated a new email service, which we need to use in order to send emails to all our users on an expedited basis, and that service included a tracking code. We didn’t notice this link until the emails had started to be delivered, at which point we corrected this. However, as we noted in our email, your better choice is to go directly to the site where you need to access information or change any of your settings. In our case, if you haven’t yet changed your password, please go directly to our site at Evernote.com. Link to comment
00andy 0 Posted June 24, 2014 Share Posted June 24, 2014 This mail was sent to me,I don't what the angle is but I got a similar message to Facebook from a unknown "who thought my profile was very interesting"..(I have no profile info linked to my Evernoteaccount.) Any other "interesting male" who got any message like this?"jessica1312 has sent you a new personal conversation entitled "HI".jessica1312 said:======================================================================jessica_2vndaye@yahoo.com My name is jessica i saw your profile today at (evernote.com) and became intrested in you,i will also like to know you the more,and i want you to send a mail to my email address so i can give you my picture for you to know whom l am.Here is my email address (jessica_2vndaye@yahoo.com) i believe we can move from here.I am waiting for your mail to my email address above.jessica.(Remeber the distance or colour does not matter but love matters alot in life) Please rpely me with my email address here jessica_2vndaye@yahoo.com======================================================================PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL!You can reply to this personal conversation by following the link below:https://discussion.evernote.com/index.php?app=members&module=messaging§ion=view&do=showConversation&topicID=10555#msg16403" Link to comment
ScottLougheed 1,316 Posted June 24, 2014 Share Posted June 24, 2014 Ah, so this isn't being emailed to you, this is a private message being sent within the forum software. The email you received was just a notification from the forum software that you received a private message, just like if I were to private message you, or if a EN employee were to message you. This spamming user did not send this to your email and there's no reason to assume this particular spammer has your email address. This all took place within the forum. I've seen a bit of the PM spam myself, and unfortunately it is very difficult for us moderators to deal with (except if we are the victim, which are periodically are) because we can't see your private messages, and unless we see the spam (such as if they make a public post here, or spam us), we can't tell who are legitimate accounts and who are using accounts to spam. Best thing to do is to go to the spamming users forum profile and report their user account so we can ban them. EDIT: I think the facebook thing might just be a case of coincidental timing. Link to comment
Level 5* gazumped 11,652 Posted June 24, 2014 Level 5* Share Posted June 24, 2014 The main thing with this sort of spam is: Don't Panic! However the message gets to you, someone, somewhere is trying to bluff you into responding - to give them an email address to target for further spam. Don't Respond in any way. (See 1) Report the message (as Scott said) and delete it.I'm such a fascinating person that I've had a few of these, some for profiles on services that I don't even have an account for... Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.