Spear Phishing Email
I received an email this morning looks like a genuine email from Linode with the title "Your payment has been declined."
I was suspicious only because it came to an email other than the one I use with Linode and because I could see ho reason why there would have been a problem with my payment. On checking my account is paid up.
The email is very well put together obfuscating it true send and the true destination of the link in the email.
Examination of the headers shows it comes from firstname.lastname@example.org
The link in the email is to a sub-domain app.login.linode.com.login.return of ausbildung-altenpflege-berlin.de disguised to look legitimate.
We received the same. I opened a support ticket and Linode confirmed that they are aware and are investigating
"…We're actively working to stop these emails from being sent by this unauthorized 3rd party. At this time, we cannot be sure of how the people responsible for the message received your contact information…"
My website hosted on Linode has several email addresses listed on the "contact us" page. All of these addresses received the phishing email. Linode itself has no knowledge of many of these email addresses.
So my assumption is that they have scanned sites in Linode's IP range, scraped all email addresses from the sites and sent the phishing email out to all addresses found.
Recently, some of our customers have reported receiving emails requesting that they update their payment information. We can confirm that these emails are Phishing Spam and would encourage you to ignore the email to prevent any sensitive information from being shared.
This correspondence did not originate from Linode, nor did Linode authorize its creation or distribution.
You may want to explore ways of securing your email address by contacting your email or Internet services provider. We also recommend that if you have a Linode account, that you consider enabling 2FA for an additional layer of security.
Once again, thanks very much for bringing this matter to our attention.
Please enable a strong DMARC policy on linode.com. You're currently set to p=none. p=reject would have meant that these messages would not have gotten through any DMARC-compliant server. For example, gmail would have rejected the message that I received outright.
Sure, they could have further obfusciated the From: address, but the point is that it wouldn't have actually been permitted to be sent From: @linode.com.
We appreciate the recommendation on platform security, which we take very seriously and are open to feedback on.
You're right, a p=reject policy would go a long way here. We want to get to that point. We do currently have DMARC policies in place and aggregate forensic reports are automatically issued.
Taking the steps that you recommended to configure further restrictions has some crucial impacts for email delivery that would affect our most important processes: supporting customers by email, communicating with those in our hiring pipeline, and other critical company functions.
Accordingly, we'd need to ensure that changes to our DMARC policies work with these functions before they could be implemented.
Received another identical phishing email today (2nd one in a few weeks) …
From: Linode Support email@example.com
X-Env-From: [email protected]
Received-Spf: pass (in2k.electric.net: domain of box-sales.com designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11; [email protected]; helo=box-sales.com;
Is there somewhere we should submit the headers to assist in shutting it down?
@Ttaylor, I understand what's involved with DMARC configuration, I'm in the midst of a multi-year-long project to enable it for my employer's domains. I'm not trying to diminish the effort involved on your side at all.
At the same time, I've received two targeted phishing emails "from" @linode.com, which is kind of amazing. I hope a a p=reject policy is prioritized.