INSUBCONTINENT EXCLUSIVE:
It was the one of the best phishing emails we&ve seen… that wasn&t.
Phishing remains one of the most popular attack choices for scammers
Phishing emails are designed to impersonate companies or executives to trick users into turning over sensitive information, typically
usernames and passwords, so that scammers can log into online services and steal money or data
But detecting and preventing phishing isn&t just a user problem — it a corporate problem too, especially when companies don&t take basic
cybersecurity precautions and best practices to hinder scammers from ever getting into a user inbox.
Enter TriNet, a human resources giant,
which this week became the poster child for how how to make a genuine email to its customers look inadvertently as suspicious as it
gets.
Remote employees at companies across the U.S
who rely on TriNet for access to outsourced human resources, like their healthcare benefits and workplace policies, were sent an email this
week as part of an effort to keep employees &informed and up-to-date on the labor and employment laws that affect you.&
Workers at one Los
Angeles-based health startup that manages its employee benefits through TriNet all got the email at the same time
But one employee wasn&t convinced it was a real email, and forwarded it — and its source code — to TechCrunch.
TriNet is one of the
largest outsourced human resources providers in the United States, primarily for small-to-medium-sized businesses that may not have the
funding to hire dedicated human resources staff
And this time of year is critical for companies that rely on TriNet, since health insurance plans are entering open enrollment and tax
season is only a few weeks away
With benefit changes to consider, it not unusual for employees to receive a rash of TriNet-related emails towards the end of the year.
But
this email didn&t look right
In fact when we looked under the hood of the email, everything about it looked suspicious.
This is the email that remote workers received
TriNet said the use of an Imgur-hosted image in the email was &mistakenly& used
(Image: TechCrunch/supplied)
We looked at the source code of the email, including its headers
These email headers are like an envelope — they say where an email came from, who it addressed to, how it was routed, and if there were
any complications along the way, such as being marked as spam.
There were more red flags than we could count.
Chief among the issues were
that the TriNet logo in the email was hosted on Imgur, a free image-hosting and meme-sharing site, and not the company own website
That a common technique among phishing attackers — they use Imgur to host images they use in their spam emails to avoid detection
Since the image was uploaded in July, that logo was viewed more than 70,000 times until we reached out to TriNet, which removed the image,
suggesting thousands of TriNet customers had received one of these emails
And, although the email contained a link to a TriNet website, the page that loaded had an entirely different domain with nothing on it to
suggest it was a real TriNet-authorized site besides a logo, which if it were a phishing site could&ve been easily spoofed.
Fearing that
somehow scammers had sent out a phishing email to potentially thousands of TriNet customers, we reached out to security researcher John
Wethington, founder of security firm Condition:Black, to examine the email.
It turns out he was just as convinced as us that the email may
have been fake.
&As hackers and self-proclaimed social engineers, we often think that spotting a phishing email is ‘easy&,& said
&The truth is it hard.&
&When we first examined the email every alarm bell was going off
The deeper we dug into it the more confusing things became
We looked at the domain name records, the site source code, and even the webpage hashes,& he said.
There was nothing, he said, that gave us
&100% confidence& that the site was genuine until we contacted TriNet.
TriNet spokesperson Renee Brotherton confirmed to TechCrunch that the
email campaign was legitimate, and that it uses the third-party site &for our compliance ePoster service offering
She added: &The Imgur image you reference is an image of the TriNet logo that Poster Elite mistakenly pointed to and it has since been
removed.&
&The email you referenced was sent to all employees who do not go into an employer physical workspace to ensure their access to
required notices,& said TriNet spokesperson.
When reached, Poster Elite also confirmed the email was legitimate.
This is not a phishing
site, but it sure looks like one
(Image: TechCrunch)
How did TriNet get this so wrong? This culmination of errors had some who received the email worried that their
information might have been breached.
&When companies communicate with customers in ways that are similar to the way scammers communicate,
it can weaken their customer ability over time to spot and shut down security threats in future communications,& said Rachel Tobac, a
hacker, social engineer, and founder of SocialProof Security.
Tobac pointed to two examples of where TriNet got it wrong
First,it easy for hackers to send spoofed emails to TriNet workers because TriNet&sDMARC policy on its domain name is not enforced.
Second,
the inconsistent use of domain names is confusing for the user
TriNet confirmed that it pointed the link in the email — posters.trinet.com — to eposterservice.com, which hosts the company compliance
posters for remote workers
TriNet thought that forwarding the domain would suffice, but instead we thought someone had hijacked TriNet domain name settings — a type
of attack that on the increase, though primarily carried out by state actors
TriNet is a huge target — it stores workers& benefits, pay details, tax information and more
We had assumed the worst.
&This is similar to an issue we see with banking fraud phone communications,& said Tobac
&Spammers call bank customers, spoof the bank number, and pose as the bank to get customers to give account details to ‘verify their
account& before ‘hearing about the fraud the bank noticed on their account — which, of course, is an attack,& she said.
&This is
surprisingly exactly what the legitimate phone call sounds like when the bank is truly calling to verify fraudulent transactions,& Tobac
said.
Wethington noted that other suspicious indicators were all techniques used by scammers in phishing attacks
The posters.trinet.com subdomain used in the email was only set up a few weeks ago, and the eposterservice.com domain it pointed to used an
HTTPS certificate that wasn&t associated with either TriNet or Poster Elite.
These all point to one overarching problem
TriNet may have sent out a legitimate email but everything about it looked problematic.
On one hand, being vigilant about incoming emails is
And while it a cat-and-mouse game to evade phishing attacks, there are things that companies can do to proactively protect themselves and
their customers from scams and phishing attacks
And yet TriNet failed in almost every way by opening itself up to attacks by not employing these basic security measures.
&It hard to
distinguish the good from the bad even with proper training, and when in doubt I recommend you throw it out,& said Wethington.
We found a
massive spam operation — and sunk its server
