Thursday, 28 November 2019

Is this Phishing or has HMRC re-located to the Caribbean ?

Had an email yesterday from HMRC and the included weblinks pointed to a domain in the Caribbean island of Granada .gd

Delivery-date: Tue, 26 Nov 2019 18:19:26 +0000

This had me scratching my head to tell if it was genuine or phishing. It has always been hard to tell truth from fakery on the internet and that daily task just keeps on getting harder.  With lots of companies outsourcing email handling to other organisations gmail, outlook etc the message journey from sender to received has got more complicated.

Some new processes (SPF & DKIM) have helped email programs and technical folks to tell if an email has originated from the stated source but widespread use of soft SPF configuration option ~all makes these processes less than a 100% solution.

Whilst the email turned out to be legitimate I decided to take a closer look at the contents of this email to see if my initial suspicions were founded.

Check origin and route 

The first task was to see if the source of the email, stated to be HMRC tax help and advice service, was the actual origin. Large senders of email often use separate companies to handle the email delivery and collection of responses from links inside those emails. UK HMRC helpfully has a page stating which types of communication come from what outsource organisations but does not provide much technical detail or explicit domain name. For example :
1.28 Help and support emailsHMRC will periodically send emails to customers to support their business life events. The emails will sometimes include links to relevant online digital education products, used to offer you help in relation to your business and the email will appear in your address bar as: no.reply@advice.hmrc.gov.uk.These emails will never ask you to provide personal or financial information.All emails issued from this address, are sent by Granicus (GovDelivery) our trusted email service provider.

Inside the text version of the email was

Sent on behalf of HMRC by GovDelivery GovDelivery logo [ https://subscriberhelp.granicus.com/ ]

and the source headers confirmed routing from govdelivery.com to mailhostbox.com where my inbound email arrives.
Received: from mailer086121.service.govdelivery.com (mailer086121.service.govdelivery.com [69.5.86.121])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by us2.mx.mailhostbox.com (Postfix) with ESMTPS id A68671500017
The SPF configuration appears to confirm this route and is correctly formatted.
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=69.5.86.121; helo=mailer086121.service.govdelivery.comenvelope-from=no.reply@advice.hmrc.gov.ukreceiver={{email address redacted}}

The TXT record on the advice.hmrc.go.uk also confirms sender govDelivery is authorised.

$ dig advice.hmrc.gov.uk TXT
shows 
     "v=spf1 include:service.govdelivery.com -all"

Check links and content

The anti-phishing golden rule of "don't click on links that go to sites unrelated to the sender" stands the test of time but this can be compromised by poor choices of branding over security.

The email in question has the message in two formats text and html.

In the text version
Topic Unsubscribe [ https://public.govdelivery.com/accounts/UKHMRCED/subscriber/unsubscribe_from_topic?verification {{ reference redacted }} &topic_id=3DUKHMRCED_995 ] 
In the HTML version there is a similar unsubscribe link but this looks very different:
You can unsubscribe from these help and support emails using our one-click =91https://lnks.gd/l/ {{ Long verification code redacted}} /br/71900000088=-l?verification={{ Short code redacted}} &destination=3D {{Plain text email redacted}}"

This is is where alarm bells ring. The domain used for the links lnks.gd is using a domain name .gd that is from the sunny caribbean island of Granada. Whilst I like the idea that HMRC has it's mailing list clerks working from home in the caribbean I suspect that GovDelivery has snagged what it thinks as a nice branding domain name to use for the mailing list management server.

The use of plain text emails in the unsubscribe link is also a problem littering the web server logs and web traffic with copies of sensitive personally identifiable information. The use of a foreign domain name is also troubling as internet traffic hijacking could compromise this route.

Also seen in the text version
View in browser [ https://content.govdelivery.com/accounts/UKHMRCED/bulletins/26daccd]

In the HTML version
https://lnks.gd/l/{{ reference redacted }}
Having different links between the text and html version of the same email is error prone and probably bad practice.

Conclusions

Even thought it does look like this email has been subject to a URL injection attack the far more mundane explanation that "branding has triumphed over sensible security configuration" with an unhealthy side order of bad practice prevails. Some tips for future campaigns:

  • Use the same content (text and links) for all versions of the email ( text, html, rtf).
  • Use the same TLD domain name for links and extra content as the origin of the email.
  • Make it very clear if a "technical provider" is working on behalf of an organisation by notice on the source site and delivery site. Put this in the "Contact Us" part of the website. Mention specific domain names.
  • Don't use vanity TLD domains for really important stuff unless your whole org lives under that domain.
  • Set up TXT record on your DNS record to indicate trusted email senders.
  • Use -all (not ~all) to enforce your sender policy framework 

HMRC Response

noreply.phishing@notifications.hmrc.gov.uk confirmed that ....
"We can confirm the communication you have received is from HM Revenue & Customs."

No comments: