Today I received an e-mail message from Comcast extolling the value of a (new?) service that will PROTECT ME™ from the INTERNET® and all its evil.  I’ve included this little gem of a PR masterpiece below.  Now don’t get me wrong, the threats presented by malware in general – botnets, phishing, scareware, credential thieves, etc, etc – are very real, and deserve attention.  I even timidly applaud their efforts to alert customers that have been infected.  (Though I think they should be far more aggressive – anyone with a compromised system should be blocked from accessing any part of the Internet not directly helping to correct the victim’s verminous state.)

Regardless, I don’t want to dog their overall program, just the PR hack that signed off on the announcement e-mail.  Specifically let’s look at the problems with the passage below (emphasis mine):

Don’t be fooled by faked virus alerts, along with the Comcast Service Notice, we will also send a Bot Notification email alert to your Comcast primary email address. This alert will be marked with the Comcast brand below (see below). The brand symbol indicates the email is “verified” to be safe by Comcast.

So, let me get this straight.  As long as I see that the “Comcast brand symbol”, everything is legit?! Whoah there – how did techniques like phishing get to be so successful if all we had to do was look for a little symbol of some kind.  (There is no indication in the e-mail of what this “brand symbol” is, though.  Maybe they’ll send another e-mail to tell me – can’t wait.)

The bottom line is that phishers are quite good at the absurdly simple task of making e-mail look real.  Adding a “brand symbol” is so trivial that it’s exactly useless to use as a basis for deeming a message “verified” or not.  In fact, the only thing that would help phishers to exploit Comcast’s own procedures against their customers would be if there was an example of what the “verified” notification would look like… <cue dramatic music>

Comcast provides a helpful template for would-be phishers to compromise their customers.

So… I checked out the links they so helpfully embedded in the e-mail (after confirming they weren’t going to send me somewhere I didn’t want to go, of course).  Comcast helpfully provides an example e-mail that every Tom, Dick, and Scammer can use as a template to craft a credible – nay “VERIFIED” – phish to entice Comcast customers into clicking links that do anything the scammer wants. Clutch!

The bottom line is that despite Comcast’s apparent efforts to advise infected customers about their compromised state, the methods used to accomplish said advisement fail out of the gate.

Comcast: Here’s some free advice.  Get more aggressive and forcibly block your infected customers from further muddying the Internet.  Use better tools than “brand symbols” to authenticate security communications.  If you’re not sure how to do that, we’re going to quickly move past the “free advice” category.

Internet people: Don’t trust your providers to care about your safety online unless it impacts their profit model. Get smart and stay educated on the evolving threats on the Internet, and make sure you’re committed to staying reasonably safe online.  You wouldn’t drive your car on the road if the brakes didn’t work (please, oh please).  If you’re not keeping your computer safe, you might consider staying off the road until you’ve hailed a cab.

The original full Comcast e-mail is below the break, if you care to check it out.

UPDATE (May 24, 2012): So this happened…  “Comcast Users Phished by Constant Guard Spam Lure” and “Comcast Phishing Site Contains Valid TRUSTe Seal“.  How’s that useless security plan working for you, Comcast?

Dear Valued Customer,

We know that protecting your identity and using the internet safely are both very important concerns for you.

The most prevalent threat to your personal information on the internet today is a Bot! A Bot, also referred to as malicious software or malware, is used to gain control of your computer, typically without your knowledge. Online criminals can use Bots to collect your Social Security numbers, bank account information, and/or credit card numbers by monitoring your keystrokes.

Constant Guard is a service provided to you at no additional charge as part of your Comcast High Speed Internet subscription. As a new feature of the Constant Guard(TM) service, if we believe one or more of your computers may be infected with a Bot, we may present to you in your browser a Comcast Service Notice ( see example below). The notice will encourage you to take immediate action by visiting https://constantguard.comcast.net for self help instructions or professional assistance.

Don’t be fooled by faked virus alerts, along with the Comcast Service Notice, we will also send a Bot Notification email alert to your Comcast primary email address. This alert will be marked with the Comcast brand below (see below). The brand symbol indicates the email is “verified” to be safe by Comcast.

Ensuring your online safety and security is our top priority. While we hope you do not encounter a BOT on your computer, we want you to be rest assured that we will help you detect and remove it. For more information on the Constant Guard program, and how Comcast is protecting you online, please visit http://xfinity.comcast.net/constantguard/.

Protect your personal information with the Constant Guard Protection Suite, please go to http://xfinity.com/constantguard/Products/CGPS/.

Need to remove a Bot or malware? Visit the Constant Guard center at https://constantguard.comcast.net/.

Need the latest information and tipis on security issues? Visit the Security Website at http://security.comcast.net/get-smart.

Need to contact Comcast Security? Get Help at http://security.comcast.net/get-help/contact-comcast-security.aspx

Sincerely,

Comcast Customer Security Assurance

Tagged with →