RT @wordfence: Security Alert: Highly effective Gmail phishing technique being exploited
If you’re trying to get a message out, or provide a service, analytics are great. They tell you what’s working and what’s not, so you can focus on what does work. Unfortunately, when it comes to email, a lot of organizations use a third-party click-tracking service, which registers which mailing the user clicked on, then redirects them to the real website.
Why do I say unfortunately?
Because it’s what phishing does: Sets up a link that looks like it goes one place, but sends you somewhere else instead. In the case of a legitimate email with a click tracker, you end up at the real site eventually. In the case of a phishing message, you end up at a fake login page that wants to capture your username & password, or a site with drive-by malware downloads. Using this technique in legit mail trains people to ignore warning signs, making them more vulnerable to the bad guys. And it makes it harder for security software to detect phishing automatically.
Now add another reason: You don’t control that click-tracking service, so it had better be reliable.
That’s what happened with Comic-Con registration today.
Getting tickets to San Diego Comic-Con used to be a breeze, but last year the system broke down repeatedly. It took them three tries, with multiple handlers, to open a registration system that didn’t melt in the first few minutes.
A few days ago, Comic-Con International sent out a message with the date and time registration would open, and a link to where the page would be when it went live. They went to a lot of trouble to make sure their servers could handle the load, as did the company handling registration. They built a “waiting room” to make sure that people trying to buy tickets would get feedback, and get into a queue, when they arrived, but could still be filtered into the registration system slowly enough not to overwhelm it.
The weak link: The click tracker.
That click tracking service was swamped, and thousands of people clicked on that link and got a blank browser window with the “loading” icon.
To make matters worse, Comic-Con had not only insisted that you should use the link from the email, but they had make a big point about how you shouldn’t refresh your browser, or try reloading the page in another browser or tab, or you’d get sent to the back of the line. After last year’s fiasco, and the last few years of “Hoteloween” with the same sort of problems dogging hotel reservations, people were used to pages loading slowly, and CCI had trained them to let that blank page sit there, loading.
After 15-20 minutes, SDCC realized that the tracker was broken and sent out bulletins on Facebook and Twitter suggesting that people copy and paste the URL, or type it in manually. But by then, the damage had been done, and a lot of users who would have gotten in line at 8:00 got in line at 8:15 or 8:20 instead, and ended up so far back in line that the convention sold out before they made it to the front.
This all could have been avoided if the bulletin had linked directly to the target website instead of to that redirector.
So, email campaigners: remember this cautionary tale and do your own click-tracking.
(For the record: I was able to get through and got the days I wanted. But only because I copied and pasted that URL instead of clicking on it, and started at position #3948 about 30 seconds after registration opened. To be honest, I probably benefited from the fact that so many people who would have been in competition with me those first 30 seconds ended up getting in line after me, but it was still a bad move on SDCC’s part.)On Tumblr