Dangerous IBM marketing emails make me WannaCry

Misspellings, suspicious hyperlinks, abnormal sender address, no attempt at personalisation. The classic signs of a phishing email? Or a botched marketing email from IBM promoting — wait for it — a cyber security webinar?

Updated 24 May 2017 with comment from IBM press office.

One week ago, the WannaCry ransomware outbreak made headline news, with organisations around the world infected by the virulent file-scrambling malware.

While little is known about its origins, we do know that it relies on a leaked NSA exploit in Microsoft’s SMB protocol in order to propagate between outdated and unpatched Windows PCs. Indeed, the hunt continues for a ‘patient zero’, the first machine infected by the malware that might yield clues to its provenance and how it took hold.

Now, we all recognise that one of the most common ways for malware to enter an organisation is by email, either as an attachment or a link to a website hosting malicious code. Hackers will often compose phishing campaigns off the back of high-profile news stories, capitalising on public awareness and fear.

Only yesterday, ActionFraud — the National Fraud & Cyber Crime Reporting Centre — released an advisory on fake emails purporting to be from BT that have been jumping on the coat-tails of the WannaCry attack.

Cybersecurity experts will tell us that the spelling mistakes, suspect sender address, generic introductions and hyperlinks to a dodgy-looking domain are all key tells that this supposed BT email is in-fact an attempt to ensnare less-savvy citizens.

A phishing email purporting to be from BT.

So, surely a genuine marketing mailshot from a respected IT security solutions vendor would go to lengths to ensure it didn’t exhibit exactly the same failings as a fraudulent phishing email? Particularly if it were part of a vendor’s campaign advising on how to stay safe following a major malware outbreak?

Hello Irony

Our inbox has been creaking at the seams since the WannaCry outbreak as cybersecurity vendors and experts jostle for position to add their insight. Among the usual analyst quotes and researcher comments appeared this email purporting to be from IBM.

Let’s go through our phishing email bingo card once again:

Marketing mail purporting to be from IBM.

  • Poor spelling – ‘ransomeware’, anyone?
  • Suspect sender address – not sent from an ibm.com email address
  • Generic introduction – no name to reassure the sender knows any more than my email address
  • Hyperlinks to a domain that doesn’t match the sender – none of the links goes to an ibm.com URL; even the social media connections get directed to an domain that certainly doesn’t suggest IBM

That’s a full-house. In fact, there’s really very little here to convince me this email is anything but a phishing attempt.

So, how certain are we that this email is genuine? Well, aside from the fact that its social media channels were also advertising the webinar, the domain to which the hyperlinks direct – unicaondemand.com – is in fact owned by IBM. However, we only discovered this by resorting to a whois lookup – visiting the domain in a browser bounced back a 504 error. None of this is conclusive, of course.

Marketing Email Manifesto

Now, without wishing to lay too hard into IBM, it is far from alone here. While the irony is sharp in this particular case, it’s our experience that countless other firms compose their marketing materials with little care about the reader’s safety. Email is insecure, but there are things marketeers can do to make it less so.

Inspect-a-Gadget would like to see:

  • Clean links: use hyperlinks that direct to the domain of the sender or an obvious target (eg twitter.com) and not to some obscure click-tracking middle-man. Readers’ safety is more important that your analytics. If you must track, track from within your domain
  • Simple URLs: Provide a simple URL within that domain that readers can visit for themselves without clicking through (eg www.example.com/security/16-may-webinar)
  • Personalisation: use our actual names to prove you’ve not blindly copied our email from a hit list.
  • Spell checking: seriously

Without these as a minimum, companies are doing themselves no favours and ultimately putting recipients at risk.  I’m sure there are other tips companies should adopt too, and we’d love to hear them below.

We reached out to IBM for some insight, including its original email for reference. Three times. The first time, the email to [email protected] (as directed in the mailshot) bounced reporting an unknown user. A follow-up to the UK comms team followed, followed by another follow-up. Silence so far.

Perhaps IBM’s anti-spam filters are blocking its own phishy-looking emails…

Update: IBM’s press office responded with the following:

We are aware of this particular email which was sent to people registered to receive information from IBM. Thousands of participants ultimately attended the webinar on a very timely subject. We are exploring ways to assure future IBM emails are even easier to verify by adding a clear sender. We recommend those registered to receive emails from IBM add the email address used to send IBM marketing materials to their address book.