Tuesday, March 04, 2008


Amtrak phishes its own customers

On 13 Feb I received email from “Amtrak <amtrak@amtrak.bfi0.com>”. See the image below (click for full size). In short, the email tells me that “changes are coming”, and that “Prior to this update, we ask that you log in to verify the accuracy of the information in your account.” There are several web links in the message that point to Amtrak web sites, but the key one, the one that says “Go to Amtrak.com Now and Update Your Profile”, links to “http://amtrak.bfi0.com/W0RH01300F84...redacted...30”.

Suspicious-looking Amtrak mail

Now... as best I can tell (no, I did not click on the link), this actually is legitimate. I made an Amtrak reservation last week, about two weeks after having received that message, and they have changed the way I have to log in (using my email address, rather than the user name I’d created before).[1] But the email message used Epsilon’s email service (bfi0.com), which they’ve apparently contracted to do their mailings, and the key link points back to Epsilon, not to Amtrak.

If this was, indeed, a legitimate mailing, I have something to say to Amtrak about it: You made a big mistake by contracting your mailings to that company. This email message looks exactly like a phishing message that’s trying to steal my login and password information. Don’t you know, as most of the rest of the world does by now, not to send out messages like that?

More specifically, here’s what makes it look like phishing:

  1. The message claims to be from Amtrak, but does not use an amtrak.com address.
  2. The premise of the message is the same as in many phishing messages: we’re changing our system, and we need you to log in and “verify” your information. It couldn’t match better if a phisher had written it.
  3. All of the links that don’t matter are the real ones, but the operative link, the one you’re meant to click on, points to something else, something that’s not amtrak.com.
  4. Making number 3 worse, the funny URL has a lot of random-looking junk in it.
  5. It uses one of those suspiciously folksy signatures, “The Amtrak E-commerce Team”. As I said, it looks like a phisher actually wrote it.

And, the clues that it’s real? There are two. One is that it calls me “Barry”, which a phisher would probably not. They could have made a point of telling me that, but they didn’t, and many people would probably not notice it, nor realize that it lends some credibility to the message. On the other hand, clever phishers could do that also, in cases where they have email addresses associated with full names (which would be easy with my address).

The other is that bfi0.com is registered to a legitimate email marketing company, Epsilon (that should know better than to send out crap like this), and a thorough check of the message confirms that it almost certainly did come from bfi0.com, and isn’t just claiming so. The funny URL will get you to amtrak.com’s web site, but sends you through bfi0.com to get there because they’re counting the click-throughs for marketing purposes (maybe just for tracking, but it’s likely they’re getting paid more for more clicks).

So what should they have done? I’m glad you asked:

  1. Set up DKIM, send the message out as amtrak.com (not as amtrak.bfi0.com), and make sure that the DKIM signature is verifiable.
  2. Make sure all the links in the message clearly go directly to amtrak.com.
  3. Do not encourage users to click a link in the message to log in anyway. Tell them in plain text to “go to amtrak.com” and log in there. Tell them that it’s safer if they do it that way, because it’s less likely to put their account information at risk.
  4. Be less vague about what’s happening. Part of what makes the message suspicious is the vagueness: we’re changing something, but we’re not giving you any details.

I know that 2 and 3 are not what Epsilon and other marketers want to hear. Without being able to track click-throughs, they have a real problem in knowing how successful their campaigns are, and they can’t use that as a way to write their contract terms. That’s too bad, but, well, that’s just too bad. We just have to stop asking or expecting users to click on links in their email, especially funny-looking ones.

It’s garbage like this that keeps the phishers in business, by teaching people to be careless. Amtrak — and Epsilon — should be ashamed.

[1]Side issue: I actually hate the practice of using my email address as my login identity. It means that it’s harder for me to use domain-specific login identities, and strongly pushes me to use the same identity everywhere. It’s easy to see why the web sites like it, of course: it makes it easier for people to create accounts because they already have a unique name to use, and it reduces support questions about forgotten login identities — the web sites just tell you to enter your email address.

One problem with it, even for people who would prefer to use the same identity everywhere, is that there’s a strong tendency, because you’re using your email address, to use your email password too. That exposes your email, of course. It also means that you’re likely to have the same identity and password for multiple web sites, so someone who snatches your Amtrak information, say, can go start trying it on other sites, like airlines, stores, banks, PayPal....


Benny said...

Another clue that it's real: it doesn't contain any spelling mistakes ;)

Julietta said...

So, since my email password is ONLY for email, whereas other passwords are different, I'm "safe"?

Barry Leiba said...

Yes... safer. Ideally, one should use different passwords for everything, but that'd drive us all crazy (and for some, it's a short drive). Short of that, it's best at least to separate the exposure -- use different passwords for things of different consequence, and definitely use different passwords for each financial institution.

The risk is that if your login ID and password combination is compromised, the thief can go around trying it at various web sites. The fewer sites that that combination works on, the better for containing the exposure.

Kevin Dezfulian said...

I am irritated by email usernames because they are too long.
I still use unique email alases for all my accounts so I can turn them off or notice when they have sold my name.

For example, if you required me to signup for an account I would probably use barry at clevinger.fastmail.fm.

Several months ago I started getting spammed by aps at clevinger.fastmail.fm and turns out somebody broke into their system and stole the addresses.

Anonymous said...

I call shenanigans and proclaim that this email is totally and completely bogus!!

A major clue that this is a phishing scam is the fact that at the bottom of the email/letter it gives Amtrak's Marketing Department address as:

10 G Street NE, Washington, D.C. 20002
First this is not Amtrak's address in Washington, D.C., According to Google 10 G St. NW is a virtual office service called DC Business Centers, there are NO Amtrak offices at this address.

The real address for any correspondence from Amtrak would either come from:

60 Massachusetts Avenue NE
Washington, D.C. 20002
This is Amtrak's main headquarters.

or from

30th Street Station
2955 Market Street
Philadelphia, PA 19104
Amtrak's 30th Street Station does houses some of marketing and operational departments and there have been occassions where correspondence do have this address listed.

My suggestion is if you get this type of email address just delete it without even reading it.