To phish, or not to phish?

I recently had email telling me my password for $company VPN is due to expire, and directing me to a URL to update it.

Legitimate or phishing?  Let’s examine it.

It follows the exact form of similar legitimate emails I’ve had before.  Password expires in 14 days.  Daily updates decrementing the day count until I change it.  So far so good.

However, it’s directing me to an unfamiliar URL: https://$company.okta.com/.   Big red flag!  But $company outsources a range of admin functions in this manner, so it’s entirely plausible.

It appears to come from a legitimate source.  But since all $company email is outsourced to gmail, the information I can glean from the headers is limited.  How much trust can I place in gmail’s SPF telling me the sender is valid?

A look on $company’s intranet fails to find anything relevant (though in the absence of a search function I probably wouldn’t find it anyway without a truly gruelling trawl).  OK, let’s google for evidence of a legitimate connection between $company and okta.com.  I’ve resolved similar problems to my own satisfaction that way before both for $company and other such situations (e.g. here or here), but the hurdle for a $company-VPN password – even one I’m about to change – has to be high.

Googling finds me only inconclusive evidence.  There’s a linkedin page for $company’s sysop, only it turns out he’s moved on and the linkedin page is just listing both $company and okta skills in his CV.  There’s a PDF at $company’s website with instructions for setting up some okta product (though it’s one of those that insults you with big cuddly pictures of selecting a series of menu options without actually saying anything non-obvious).

Hmmm …

OK, maybe I can get okta.com to prove itself, with the kind of security question your bank asks when you ‘phone it.  Let’s use okta’s “Password Reset”.  I expect it’ll send a one-off token I can use to set a new password.  If legit, that’ll work; if not then the newly-minted password is worthless and I just abandon it.  But no such thing: instead of sending me such a token, it tells (emails) me:

Your Okta account is configured to use the same password you currently use for logging in to your organization’s Windows network. Use your Windows account password to sign in to Okta. Please use the password reset function in Windows to reset your password.

Well, b***er that.  Windows account password?  Windows network?  I have no such thing, and neither does $company expect me to.  I expect $company may have a few windows boxes, but they’re certainly not the norm.  No doubt it just means the LDAP password I’m supposed to be changing, but if I know that then why should I be asking it for password reset?  Bah, Humbug!

One more thing to try before a humiliating request for help over something I should be able to deal with myself.  Somewhere in my gmail I can dig up previous password reset reminders, with a URL somewhere on $company’s own intranet.  Try that URL.  Yes, it still works, and I can reset my VPN password there.  All that investigation for … what?

Well, there’s a value to it.  Namely the acid test: does the daily password reminder stop after I’ve reset the password?  If it’s genuine then it shares information with $intranet and knows I’ve reset my password.  If it’s a phish then it knows nothing.  So now I’m getting some real evidence: if the password reminders stop then it’s genuine.

They do stop.  So I conclude it is indeed genuine.

Unless it’s so ultra-sophisticated that it’s been warned off by my having visited the site and used password reset, albeit unsuccessfully.  Waiting to try again in a few months?  Hmmm ….

Well, if $company hasn’t outsourced it then the intranet-based password reset will continue to work next time.  If it doesn’t work next time then there’s one more piece of evidence it’s genuine.

Posted on October 13, 2014, in security. Bookmark the permalink. 3 Comments.

  1. Got another password change notification yesterday, and went immediately to the old (intranet) URL to set a new password. That’s now more than 24 hours ago, and it’s several hours since today’s reminder should have arrived. So that’s beyond-reasonable-doubt verification that the original email was genuine.

  2. Why do companies work so hard to not deploy digital signatures?
    Really. I keep asking and the usual ‘reason’ is – “users don’t understand/won’t adopt it”. And that’s the answer given when asking companies that have made substantial losses because there staff were too lazy/uneducated to do the testing you did (sigh). So what is the real reason?

  1. Pingback: Outsourcing email to Google means SPF allows phishing? | Software Cooperative News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: