On 13 Feb I received email from “Amtrak <firstname.lastname@example.org>”. See the image below (click for full size). In short, the email tells me that “changes are coming”, and that “Prior to this update, we ask that you log in to verify the accuracy of the information in your account.” There are several web links in the message that point to Amtrak web sites, but the key one, the one that says “Go to Amtrak.com Now and Update Your Profile”, links to “http://amtrak.bfi0.com/W0RH01300F84...redacted...30”.
Now... as best I can tell (no, I did not click on the link), this actually is legitimate. I made an Amtrak reservation last week, about two weeks after having received that message, and they have changed the way I have to log in (using my email address, rather than the user name I’d created before). But the email message used Epsilon’s email service (bfi0.com), which they’ve apparently contracted to do their mailings, and the key link points back to Epsilon, not to Amtrak.
If this was, indeed, a legitimate mailing, I have something to say to Amtrak about it: You made a big mistake by contracting your mailings to that company. This email message looks exactly like a phishing message that’s trying to steal my login and password information. Don’t you know, as most of the rest of the world does by now, not to send out messages like that?
More specifically, here’s what makes it look like phishing:
- The message claims to be from Amtrak, but does not use an amtrak.com address.
- The premise of the message is the same as in many phishing messages: we’re changing our system, and we need you to log in and “verify” your information. It couldn’t match better if a phisher had written it.
- All of the links that don’t matter are the real ones, but the operative link, the one you’re meant to click on, points to something else, something that’s not amtrak.com.
- Making number 3 worse, the funny URL has a lot of random-looking junk in it.
- It uses one of those suspiciously folksy signatures, “The Amtrak E-commerce Team”. As I said, it looks like a phisher actually wrote it.
And, the clues that it’s real? There are two. One is that it calls me “Barry”, which a phisher would probably not. They could have made a point of telling me that, but they didn’t, and many people would probably not notice it, nor realize that it lends some credibility to the message. On the other hand, clever phishers could do that also, in cases where they have email addresses associated with full names (which would be easy with my address).
The other is that bfi0.com is registered to a legitimate email marketing company, Epsilon (that should know better than to send out crap like this), and a thorough check of the message confirms that it almost certainly did come from bfi0.com, and isn’t just claiming so. The funny URL will get you to amtrak.com’s web site, but sends you through bfi0.com to get there because they’re counting the click-throughs for marketing purposes (maybe just for tracking, but it’s likely they’re getting paid more for more clicks).
So what should they have done? I’m glad you asked:
- Set up DKIM, send the message out as amtrak.com (not as amtrak.bfi0.com), and make sure that the DKIM signature is verifiable.
- Make sure all the links in the message clearly go directly to amtrak.com.
- Do not encourage users to click a link in the message to log in anyway. Tell them in plain text to “go to amtrak.com” and log in there. Tell them that it’s safer if they do it that way, because it’s less likely to put their account information at risk.
- Be less vague about what’s happening. Part of what makes the message suspicious is the vagueness: we’re changing something, but we’re not giving you any details.
I know that 2 and 3 are not what Epsilon and other marketers want to hear. Without being able to track click-throughs, they have a real problem in knowing how successful their campaigns are, and they can’t use that as a way to write their contract terms. That’s too bad, but, well, that’s just too bad. We just have to stop asking or expecting users to click on links in their email, especially funny-looking ones.
It’s garbage like this that keeps the phishers in business, by teaching people to be careless. Amtrak — and Epsilon — should be ashamed.
Side issue: I actually hate the practice of using my email address as my login identity. It means that it’s harder for me to use domain-specific login identities, and strongly pushes me to use the same identity everywhere. It’s easy to see why the web sites like it, of course: it makes it easier for people to create accounts because they already have a unique name to use, and it reduces support questions about forgotten login identities — the web sites just tell you to enter your email address.
One problem with it, even for people who would prefer to use the same identity everywhere, is that there’s a strong tendency, because you’re using your email address, to use your email password too. That exposes your email, of course. It also means that you’re likely to have the same identity and password for multiple web sites, so someone who snatches your Amtrak information, say, can go start trying it on other sites, like airlines, stores, banks, PayPal....