Infosec Experts Buy Marriott-Related Sites to Prevent Criminal Spoofing
Not all heroes wear capes.
The fallout from the massive Marriott data breach continues.
Lawmakers say the breach as evidence for why the U.S. should crack down on companies that don't secure data and the notification emails sent to customers also had issues.
Namely, the notifications' sender domain name “email-marriott.com” didn't immediately indicate it was from Marriott because it the domain name didn't load and didn't have an HTTPS certificate to identify it, according to TechCrunch. This possibly confused the recipients about whether to take the email notification seriously.
Even worse, this means that spoofing this email in order to direct unsuspecting victims to turn over their private information (again) would be incredibly easy.
Seeing this potential trap, security experts have stepped up to help people. Jake Williams of Rendition Infosec registered a domain one letter away, “email-marriot.com," to stop anyone else from doing so and to warn people to be careful.
“After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals," Williams told TechCrunch.
Nick Carr, a security research at FireEye, had similar motives when he registered, “email-mariott.com," and included the warning, "please watch where you click."
Another security expert, Troy Hunt, founder of Have I Been Pwned, drew attention to these domain name issues from his Twitter account:
Here’s the Starwood / Marriott disclosure now being emailed to people. It’s extensive, but there’s also some subtle ironies in there... pic.twitter.com/XZhR2fQn5z
— Troy Hunt (@troyhunt) December 1, 2018