Delivery-date: Tue, 26 Nov 2019 18:19:26 +0000
This had me scratching my head to tell if it was genuine or phishing. It has always been hard to tell truth from fakery on the internet and that daily task just keeps on getting harder. With lots of companies outsourcing email handling to other organisations gmail, outlook etc the message journey from sender to received has got more complicated.
Some new processes (SPF & DKIM) have helped email programs and technical folks to tell if an email has originated from the stated source but widespread use of soft SPF configuration option ~all makes these processes less than a 100% solution.
Whilst the email turned out to be legitimate I decided to take a closer look at the contents of this email to see if my initial suspicions were founded.
Check origin and route
The first task was to see if the source of the email, stated to be HMRC tax help and advice service, was the actual origin. Large senders of email often use separate companies to handle the email delivery and collection of responses from links inside those emails. UK HMRC helpfully has a page stating which types of communication come from what outsource organisations but does not provide much technical detail or explicit domain name. For example :1.28 Help and support emailsHMRC will periodically send emails to customers to support their business life events. The emails will sometimes include links to relevant online digital education products, used to offer you help in relation to your business and the email will appear in your address bar as: no.reply@advice.hmrc.gov.uk.These emails will never ask you to provide personal or financial information.All emails issued from this address, are sent by Granicus (GovDelivery) our trusted email service provider.
Inside the text version of the email was
Sent on behalf of HMRC by GovDelivery GovDelivery logo [ https://subscriberhelp.granicus.com/ ]
and the source headers confirmed routing from govdelivery.com to mailhostbox.com where my inbound email arrives.
Received: from mailer086121.service.govdelivery.com (mailer086121.service.govdelivery.com [69.5.86.121])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by us2.mx.mailhostbox.com (Postfix) with ESMTPS id A68671500017
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=69.5.86.121; helo=mailer086121.service.govdelivery.com; envelope-from=no.reply@advice.hmrc.gov.uk; receiver={{email address redacted}}
The TXT record on the advice.hmrc.go.uk also confirms sender govDelivery is authorised.
$ dig advice.hmrc.gov.uk TXT
shows
"v=spf1 include:service.govdelivery.com -all"
shows
"v=spf1 include:service.govdelivery.com -all"
Check links and content
The anti-phishing golden rule of "don't click on links that go to sites unrelated to the sender" stands the test of time but this can be compromised by poor choices of branding over security.The email in question has the message in two formats text and html.
In the text version
Topic Unsubscribe [ https://public.govdelivery.com/accounts/UKHMRCED/subscriber/unsubscribe_from_topic?verification {{ reference redacted }} &topic_id=3DUKHMRCED_995 ]
You can unsubscribe from these help and support emails using our one-click =91https://lnks.gd/l/ {{ Long verification code redacted}} /br/71900000088=-l?verification={{ Short code redacted}} &destination=3D {{Plain text email redacted}}"
The use of plain text emails in the unsubscribe link is also a problem littering the web server logs and web traffic with copies of sensitive personally identifiable information. The use of a foreign domain name is also troubling as internet traffic hijacking could compromise this route.
Also seen in the text version
View in browser [ https://content.govdelivery.com/accounts/UKHMRCED/bulletins/26daccd]
In the HTML version
https://lnks.gd/l/{{ reference redacted }}
Having different links between the text and html version of the same email is error prone and probably bad practice.
Even thought it does look like this email has been subject to a URL injection attack the far more mundane explanation that "branding has triumphed over sensible security configuration" with an unhealthy side order of bad practice prevails. Some tips for future campaigns:
Conclusions
- Use the same content (text and links) for all versions of the email ( text, html, rtf).
- Use the same TLD domain name for links and extra content as the origin of the email.
- Make it very clear if a "technical provider" is working on behalf of an organisation by notice on the source site and delivery site. Put this in the "Contact Us" part of the website. Mention specific domain names.
- Don't use vanity TLD domains for really important stuff unless your whole org lives under that domain.
- Set up TXT record on your DNS record to indicate trusted email senders.
- Use -all (not ~all) to enforce your sender policy framework
HMRC Response
noreply.phishing@notifications.hmrc.gov.uk confirmed that ...."We can confirm the communication you have received is from HM Revenue & Customs."
5 comments:
You can't trust any of these TLDs because you can get them for free on Freenom.com.
- .ga
- .tk
- .ml
- .cf
-.gq
10th May 2021 - Microsoft ATP (Advanced Threat Protection) component Safelinks, started blocking these lnks.gd url shortener links in emails, causing minor havoc.
Works fine the next day, Granicus and Microsoft have seemingly worked it out between them.
I agree it's a worry though, trusting in a domain linked to the ccTLD for Grenada, for UK Government Communications. Not ideal.
Granicus replied to my enquiry;
"Lnks.gd is a domain which Granicus owns and maintains expressly for the purpose of link click tracking for govDelivery. The link re-write does obfuscate the end destination URL. This is standard for secure link click tracking as any redirect which does not use encryption to hide the destination link would be vulnerable. This link tracking configuration ensures that outside actors cannot replicate the destination with an alternative destination. "
HMRC? i have just see one of these from 'USA department of revenue' with same link destinations and email servers. so how can it be true that UK HMRC confirmed it is real? anser is that it is NOT real, nor confirmed by HMRC or USA Department of revenue.
Granicus is a multinational Corp headquartered is Austin Texas and provides services to local government and municipal services in the USA, UK and other regions.
It's quite likely the US department of Revenue would use them too.
lnks.gd is a domain owned and operated by Granicus as part of the govDelivery product which is email distribution... Like mail chimp, for government.
Post a Comment