We’ve all seen those phishing e-mails, trying to steal your login information for banks, credit cards, and what-not. They all start “something bad happened, and if you don’t ‘confirm’ your identity within 72 hours, we’re going to delete your account”. So, when an e-mail with the subject “SourceForge.net passwords reset” hit my inbox the other day, I was a bit suspicious.
However, what followed did not look like your typical phishing scheme. In fact, it was a real e-mail from SourceForge.net. Here’s the main part of the e-mail, along with my thoughts on what they did “right”. (As well as what they could have done “better”.)
Hello, We recently experienced a directed attack on SourceForge infrastructure (http://sourceforge.net/blog/sourceforge-net-attack/) and so we are resetting all passwords in the sf.net database -- just in case. We're e-mailing all sf.net registered account holders to let you know about this change to your account.
So far, it’s not much different than all those phishing e-mails we’ve seen. (Well, except for the use of proper English grammar and spelling, that is.) But, it continues…
Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don't want is to find out in 2 months that passwords were compromised and we didn't take action. So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password: https://sourceforge.net/account/registration/recover.php If you need help with this, feel free to e-mail us: firstname.lastname@example.org We appreciate your patience with us as we work to respond to this attack. We'll be working through the weekend to get things back to normal as quickly as possible. Watch for updates on the service outages on our blog: http://sourceforge.net/blog/ Thank you, The SourceForge Team
So, what did they do “right” that made it stand out as real, and not likely to be a scam?
- Most phishing scams are written by someone whose native language is apparently not English. This e-mail is well written.
- The e-mail is plain text. There is no HTML (and all the possibilities of malware that go with it) in sight.
- They do not ask for any information in the e-mail.
- There is no “you must do this within 72 hours or your account will be permanently deleted” sense of urgency that scammers love to use. (The rush of “you must do it now, or else” causes many people to forget about any precautions they would normally use.)
- If you go to the SourceForge.net website and click “log in”, there is a highlighted box on the page that says:
If you haven’t yet, you need to reset your password due to the global password change event that occurred on 2011-01-28.
- Clicking on the link on the e-mail (which, being all plain-text, can’t hide the “real” website name, as you can with HTML) takes you to a page that, once again, doesn’t ask for any “confirm your identity” information. Rather, it’s just as if you clicked the “I forgot my password” link on many login pages. It simply asks for your e-mail address, and it will send you an e-mail with a special “reset my password” link that only you can use. Only someone with access to your e-mail can access the password reset.
Now, here are a few things I think they could have done better.
- The message starts simply “Hello”, with no reference to my name. Now, to be fair, the only place you give SourceForge your “real name” is in your account settings under “publicly displayed name”. Nothing requires that you give your real name, nor any other name for that matter. However, even if you used a handle or nickname, this information could have been included in the greeting.
- They included a link to a page on the website which is not the site’s main page, without including any alternate means of doing the reset. (ie: Go to the SourceForge.net main page and click “log in”. From there, click the “reset password” link.)
- The e-mail address given to contact for more information is not a SourceForge.net address.
However, overall, they did a very good job of communicating the important information to their users, all the while standing out from the crowd of phishing scams. Kudos to SourceForge.net for the way they handled this.