I’m not often impressed by the technical quality of spam but this one stood out.
I received an email from RBC this morning telling me that I had an alert on my account:
“This account has been flagged and placed on temporary hold […] This is simply for your safety, please follow the instruction below to remove hold:”
This was troubling for two reasons:
- As a small business owner, I count on my bank accounts to be active in order to keep my company running
- I don’t have an RBC account.
A Not-So-Obvious Source
No-brainer, this was obviously spam. I clicked on the link to see what the page looked like and to my surprise, I was met with a very convincing redirect screen followed by a very legitimate looking form.
I started wondering how this got through Gmail’s spam filters so convincingly so I went back and took a closer look at the email.
To my surprise, it was sent from Eventbrite.com. I took a closer look at the form’s URL and noted that it was on hubspot.net.
For those of you not familiar with these names, San Francisco-based Eventbrite is one of the largest event management and ticketing websites in the world, while HubSpot is a huge marketing and sales platform. These are legitimate platforms that are used by millions world-wide. They are business pillars for many SMBs and recognized as being industry leaders, each in their own right.
So why is all of this such a big deal? Spammers have basically found a new attack vector that will not be flagged by Gmail (for now). This is really clever. From a technical standpoint, Gmail’s engineers are smart enough to flag any email that comes from a throw-away domain or any email that contains a link saying one thing and linking to another.
These throw away domains are easy to pick out and are almost useless the moment they go live.
The brilliant thing here is that there is no way Gmail will ever blacklist Eventbrite or HubSpot’s principle domains. Too many people depend on these emails to go through for legitimate purposes. Too many of Gmail’s uses need these notifications about events and sales updates.
I’m sure these emails will be flagged as spam shortly but in the meantime, I’m not even mad: that’s impressive.
So, as a public service announcement, be on the lookout for these scams. Never fill out any form asking for your password unless you initiated it.