Comcast Sets Customers Up as Phishing Targets

Today I received an e-mail message from Comcast extolling the value of a (new?) service that will PROTECT ME™ from the INTERNET® and all its evil.  I’ve included this little gem of a PR masterpiece below.  Now don’t get me wrong, the threats presented by malware in general – botnets, phishing, scareware, credential thieves, etc, etc – are very real, and deserve attention.  I even timidly applaud their efforts to alert customers that have been infected.  (Though I think they should be far more aggressive – anyone with a compromised system should be blocked from accessing any part of the Internet not directly helping to correct the victim’s verminous state.)

Regardless, I don’t want to dog their overall program, just the PR hack that signed off on the announcement e-mail.  Specifically let’s look at the problems with the passage below (emphasis mine):

Don’t be fooled by faked virus alerts, along with the Comcast Service Notice, we will also send a Bot Notification email alert to your Comcast primary email address. This alert will be marked with the Comcast brand below (see below). The brand symbol indicates the email is “verified” to be safe by Comcast.

So, let me get this straight.  As long as I see that the “Comcast brand symbol”, everything is legit?! Whoah there – how did techniques like phishing get to be so successful if all we had to do was look for a little symbol of some kind.  (There is no indication in the e-mail of what this “brand symbol” is, though.  Maybe they’ll send another e-mail to tell me – can’t wait.)

The bottom line is that phishers are quite good at the absurdly simple task of making e-mail look real.  Adding a “brand symbol” is so trivial that it’s exactly useless to use as a basis for deeming a message “verified” or not.  In fact, the only thing that would help phishers to exploit Comcast’s own procedures against their customers would be if there was an example of what the “verified” notification would look like… <cue dramatic music>

Comcast provides a helpful template for would-be phishers to compromise their customers.

So… I checked out the links they so helpfully embedded in the e-mail (after confirming they weren’t going to send me somewhere I didn’t want to go, of course).  Comcast helpfully provides an example e-mail that every Tom, Dick, and Scammer can use as a template to craft a credible – nay “VERIFIED” – phish to entice Comcast customers into clicking links that do anything the scammer wants. Clutch!

The bottom line is that despite Comcast’s apparent efforts to advise infected customers about their compromised state, the methods used to accomplish said advisement fail out of the gate.

Comcast: Here’s some free advice.  Get more aggressive and forcibly block your infected customers from further muddying the Internet.  Use better tools than “brand symbols” to authenticate security communications.  If you’re not sure how to do that, we’re going to quickly move past the “free advice” category.

Internet people: Don’t trust your providers to care about your safety online unless it impacts their profit model. Get smart and stay educated on the evolving threats on the Internet, and make sure you’re committed to staying reasonably safe online.  You wouldn’t drive your car on the road if the brakes didn’t work (please, oh please).  If you’re not keeping your computer safe, you might consider staying off the road until you’ve hailed a cab.

The original full Comcast e-mail is below the break, if you care to check it out.

UPDATE (May 24, 2012): So this happened…  “Comcast Users Phished by Constant Guard Spam Lure” and “Comcast Phishing Site Contains Valid TRUSTe Seal“.  How’s that useless security plan working for you, Comcast?

Dear Valued Customer,

We know that protecting your identity and using the internet safely are both very important concerns for you.

The most prevalent threat to your personal information on the internet today is a Bot! A Bot, also referred to as malicious software or malware, is used to gain control of your computer, typically without your knowledge. Online criminals can use Bots to collect your Social Security numbers, bank account information, and/or credit card numbers by monitoring your keystrokes.

Constant Guard is a service provided to you at no additional charge as part of your Comcast High Speed Internet subscription. As a new feature of the Constant Guard(TM) service, if we believe one or more of your computers may be infected with a Bot, we may present to you in your browser a Comcast Service Notice ( see example below). The notice will encourage you to take immediate action by visiting https://constantguard.comcast.net for self help instructions or professional assistance.

Don’t be fooled by faked virus alerts, along with the Comcast Service Notice, we will also send a Bot Notification email alert to your Comcast primary email address. This alert will be marked with the Comcast brand below (see below). The brand symbol indicates the email is “verified” to be safe by Comcast.

Ensuring your online safety and security is our top priority. While we hope you do not encounter a BOT on your computer, we want you to be rest assured that we will help you detect and remove it. For more information on the Constant Guard program, and how Comcast is protecting you online, please visit http://xfinity.comcast.net/constantguard/.

Protect your personal information with the Constant Guard Protection Suite, please go to http://xfinity.com/constantguard/Products/CGPS/.

Need to remove a Bot or malware? Visit the Constant Guard center at https://constantguard.comcast.net/.

Need the latest information and tipis on security issues? Visit the Security Website at http://security.comcast.net/get-smart.

Need to contact Comcast Security? Get Help at http://security.comcast.net/get-help/contact-comcast-security.aspx

Sincerely,

Comcast Customer Security Assurance

22 comments

  1. I can understand your perspective, but I still contend that – while slimy – the tactics are different. Scareware installs software to your system, this is an ISP injecting code to your pages. There are some very close parallels, and I cannot see how their activity is in any way ethical. However it is more a raw extortion tactic than a scareware one.

    In addition, since they are flagging your point of presence as a whole, even a brand new, verified “clean” PC will still receive the injected code to cause popups during web activity. If any single device behind your network were to show behavior consistent with their “warning signs”, all of your devices will display the web pop-ups.

    Perhaps the biggest problem I see in all of this is Comcast’s lack of transparency regarding what behavior caused the warning to trigger. Without meaningful data to characterize the claimed threat, addressing it is impossible.

    NOTE: I should also state that this article was originally posted before Comcast started the extortion attempts, although it seems that a good number of people are finding it due to that bad behavior.

  2. This is in reply to Phil Hagen,””Robert – While I do feel there are a lot of problems with how Comcast has taken on this task, you’re mistaken that it in any way resembles scareware tactics”” Yes it does resembles scareware tactics,I agree that my pc has not been taken hostage,but when you have a pop up that it gets on your way every time you open your web browser,or open your e-mail and you can not do much until you push it out to the side (since you can not make it go)and while it is on the side you can write or type,or view things clear,but as soon as you open another page you get that hated XFINITY popup,they won’t stop untill you buy the Norton antivirus they are promoting,even if you have your own antivirus. I always was against buying it,but my brother finally got tired and bought it,then the popup vanished,it’s been four months now without that obstructive popup,and to me and anybody who had that dirt,It does ressemble scareware tactis. Ps. we had those popups even when we tried a brand new pc, so all was a lie, there was not any bot on any of the pc as it was proved by running that norton prog.

  3. I will be looking into a class action lawsuit against Comcast. I am not a lawyer, but I can not believe that it is legal to use these scare tactics in telling people that they better sign up for premeir support to fix that problem that will cause you to be a victim of a phishing scam, identity theft or any other scary action that they describe in their definition of a bot. I just wasted an hour with comcast to find out that it was literally impossible for this to be a legitimate message. I suspected it was a scam when the “Take action” was to sign up for their premier support and they comcast rep confirmed it. If anybody wants to join in on the lawsuit, drop me an email.

  4. I own and Admin several websites and I send emails to my members once a week the email system is php and sends the emails through my browser so comcast sees this as a bot sending email.I only have 1 pc and I am the only one that uses it. Just for a giggle I scanned my pc with 2 or 3 anti-virus softwares and found nothing not even a tracking cookie! So I called comcast and the only thing they could say is they thought I had a bot and a link to have the “BOT” removed for 220.00 dollars. I refuse to be held hostage at my pc and will not pay a ransom. I changed to OPENDNS and have not had anymore “BOT ALERT” popups. It is not comcasts place to worry about maintaining my computer and I do not like theyre intrusive tactics. So if this helps someone get back theyre peice of mind then I feel I did my good deed for the day. Thank you for your time and have a great day!
    Daniel Moore

  5. I can tell you how to get rid of the popup in your browser. Do a google search for OPENDNS and follow the step by step instructions. Its FREE and only takes abount 5 minutes to setup. Bye Bye bot alert popup!
    If a redneck in his livingroom can figure out how to get rid of this “BOT ALERT” how smart can Comcast be?
    Daniel Moore

    1. Hi, Daniel – I do agree that using non-ISP DNS servers is a good idea. I personally use Google’s, but OpenDNS is another fine option. However, this issue is not DNS-based.
      In this case, when the ISP has identified network traffic that fits the profile of one or more the various hundreds of botnets in operation, they notify you of the potential problem. My issue with their notification is that it would be easily faked, yet their “approved” message directs the user to click an included link. This represented a perfect candidate for a phishing operation to trick unsuspecting Comcast users into visiting sites that would deliver malware.

      I believe that the pop-up issue Jennifer described was unrelated to this behavior, and that could be accomplished regardless of the user’s DNS settings. I believe that some ISPs may be using limited HTTP redirects rather than DNS. However, using non-ISP DNS servers will definitely prevent the ads some ISPs have shadily started to provide when you enter an invalid URL.

  6. Hello,it’s incredible that this crap from comcast is going on for so long,this is scareware tactics which are illegal,people have to come together and place a law suit ,as a group it would be more effective,even if comcast denies is doing this ,it would be found out with the proper tracing or tracking sofware.

    it is very suspicious that this “Xfinty constant guard ” appears only on comcast customers.other ISPs don’t show this criminal activity

    1. Robert – While I do feel there are a lot of problems with how Comcast has taken on this task, you’re mistaken that it in any way resembles scareware tactics. They’re not installing anything on your system, then holding your system or data for ransom. That’s scareware, this is not. (Disclaimer: I have been closely involved with counter-scareware operations continuously for several years.)

      The warning only flags Comcast customers because architecturally, those are the only networks that Comcast can observe. Their activity is not criminal, as they are flagging the customers whose networks exhibit behavior of known malware. My issue was and remains that their method of informing victims is un-authenticated, and therefore ripe for abuse by phishing operations.

  7. with a new clean system, with nothing on it, this mess still comes up, there is nothing on it like a virus,Bot, or any spy ware, this has been going on for a long time, they have never sent me a email warning me they will cut me off, but if it continues I will cut them off, I rather have ATT slower DSL, only problem with ATT i had to call them ever month to straighten out the bill, that is to me the lesser of the two evils

    1. The message is showing because at some point in the recent past, at least one system somewhere on your network exhibited bot-like behavior. You may need to call Comcast to let them know you’ve removed the problem. Another possibility to consider is if you’ve allowed anyone else on your network recently. If so, and if their systems were compromised, your network would be flagged. If you run an open wireless network (which nobody should be doing!), it could be anyone in the area that decided to hop onto your network for access.

  8. It’s still happening… not only do I have the Bot popup on this page (Irony), It also pops up on my iPhone’s browser. Last I checked, iPhones can’t get bots…

    I am also now searching for a new ISP

    1. This probably indicates another system on your network is infected. Comcast most likely flags your home IP address rather than any particular system or device that uses it. I would recommend a complete scan and clean of all systems on the network where you received the popup message.
      Also, the idea that an Apple system (iOS or OS X) is any less susceptible to malware than a Windows system is a myth that was started and perpetuated by advertisers that have no business making such technological claims. Although the underground marketplace for OSX/iOS malware is still small compared to that for Windows systems, the possibility is very real, and has been demonstrated in multiple cases.

  9. Updated the article with two links showing that this exact thing is happening. Comcast’s useless solution proved… well, useless.

  10. UPDATE:
    Spoke with Comcast / Xfinity once again and they stated that the letter, emails, and pop-ups were indeed from them! Then he said, “we just wanted you as a valued Xfinity customer to be able to take advantage of our service for only $29.99”. They said the letter was to let me know what “could” happen IF I had a bot! But the letter clearly stated … “you have a bot” and “you will be disconnected with the DNS sever” (I don’t even know what a DNS server is but it sounds bad!). I just find it horrible that they admitted to the whole thing and STILL wanted me to buy their services. Too bad I liked the speed of Comcast .. but thanks to this aggressive sales move, I am canceling my service with Xfinity … Comcast .. Xfinity .. whoever they their personality disorder feels like being today!
    Someone has to do something about this! If I had the time and energy to focus on a lawsuit, I would! They are sending these letters, popups, and emails stating that you HAVE TO use their constagaurd and that you HAVE A BOT when they know you don’t. And to threaten that law enforcement officers are after your internet service and your infected machines … THAT’S MALICIOUS ON THEIR PART!
    As for me .. I’m ISP shopping! Not like Xfinity’s equipment (DVR, remotes, modems) or service ever worked that great anyway!
    Thanks for your response, there’s my update rant! 😉

    1. Thanks very much for your follow-up – I appreciate it.
      Would it be possible to post the exact contents of the message here (text of the e-mail or a scan of the paper mail)? I can contact you by e-mail to forward it that way if you prefer. I’d like to get the text posted so anyone else receiving the same sales pitch can better understand what they’re being fed.

      I certainly can’t fault you for feeling duped – based on your description of the messages, I’d say that it sounds very underhanded for Comcast.

  11. Hi, Jennifer – thanks for your comments. I’m glad that you found the site!
    WOW! That sounds like you’re being scammed. First and foremost, the “law enforcement” scare tactics are an alarm bell to me. That’s just not how law enforcement organizations work. Second, if you contacted Comcast (as in initiated the phone call to the number on your bill or other documentation), and they said it wasn’t from them, then I’d be fully comfortable that it’s not a real warning.
    With that, I’d say you can safely ignore the warnings… to a point. If you’re receiving popup messages while browsing the web, or e-mail warnings, there isn’t much you can do to prevent them. However, regardless of being a Mac or Windows box, you should run *trusted* antivirus software on each system That means a brand name (Norton/Symantec/McAfee/Clam/AVG), purchased from reputable vendor that you didn’t find by internet search or e-mail link (Amazon, or go to a local Best Buy or similar store).
    You’re smart to avoid clicking links sent to you by e-mail – that’s the first line of defense against phishing scams. I believe that with a full sweep of your systems at home, you’ll have peace of mind in knowing that you’re not infected with bot clients, and that you’ve done well in keeping your systems safe.

    The unfortunate situation that you’ve found yourself in just proves that the “real Comcast’s” verified notification policy simply doesn’t work in the real world. It’s trivial to craft a believable warning message that causes alarm, and potentially tricks the victim into paying for service in Comcast’s name, but to someone wholly unaffiliated with Comcast themselves. ISPs should adopt a strict quarantine policy that will block all traffic on service lines with infected hosts, except for traffic to/from cleanup instructions. They should also adopt actual digitally-signed notification documents coupled with paper notifications to corroborate their actions. Of course these must also be accompanied by detailed reasons why the line is being quarantined. WIthout that, victims are left to their own devices to figure out and remedy the problem.

    Regardless, good luck in fixing the situation, and please let me know how it goes.

  12. Additionally … let’s say I have a bot. How do I know which computer? Is Comcast / Xfinity going to make me pay for ALL my machines? This is ridiculous! Sorry .. yes I am upset! I KNOW my Mac’s are not affected!!! If I have to destroy the 2 surviving PCs with a hammer to make the bot go away … I’m good with that! Does Comcast / Xfinity want a picture of the machines smashed to pieces to prove it?

  13. Ok, I’m reading all these posts and I am confused. I have 7 computers in my home. 5 Mac’s and 2 PCs. I keep getting these emails (and pop ups) and I called Xfinity and they declined they ever sent the emails and/or pop ups. Several reps told me to ignore them, they are not Xfinity (Comcast .. whatever they are choosing to call themselves today). I also REFUSE to click a link emailed to me and start installing on my computers! I’ve NEVER had any problem on my Macs .. EVER!
    With all that said, I have now received a letter from “Comcast” that is smudged (literally) and states that “law enforcement offers” will take my internet services offline on or before March 6th, 2012. It also goes on to say “Xfinity Signature Support at a competitive price to help you secure your network”. WHAT????? So now I not only pay $200 a month for services but I also have to pay to remove imaginary bots from my Macs? And why all the smudged ink and using the names Xfinity and Comcast so interchangeably? Are they Comcast? Are they Xfinity?
    Is all this real? If it is, why are they sending me emails to click and pay? I thought you were NEVER EVER EVER supposed to click links and login into your accounts from an email you receive??????

  14. Hi, Cal – thanks for your comment. I’m glad to hear that Comcast seems to be cutting off infected customers. This needs to happen more if we’re ever going to see any dent in the criminal ecosystem. That said, we still do not know what kind of activity or behaviors trigger such a response. Continued “bad” on Comcast.

    As for directing potential victims to a page with solutions, I do think it’s a reasonable approach. I’ll again go back to the car analogy: If the “service engine” light comes on, you should either be savvy enough to address the problem yourself, or smart enough to take it to someone that is. There are plenty of legitimate and free solutions available, so proper care of one’s computer doesn’t necessarily come at an additional cost.

  15. If you really have a bot. Comcast will cut your connection off.
    I had one of these emails come up, sans the verified verbiage. It was sent to all 4 of my Comcast emails. I think they come up routinely if you use a torrent or some peer-to-peer site and do not indicate that you actually have a bot. Only that you may have a bot due to the uploading activity.
    If you do have a bot, Comcast will indeed cut off your internet connection. I know this to be the case as I have helped some customers clean their machines. The process is to clean it (reloading if necessary). Notify Comcast that you have cleaned the machine. They will then turn on your connection and monitor the connection to see if it is spewing out malicious content. (I don’t know if they are looking at packets or just addresses that it is accessing.) If it is clean, then Comcast will let the connection stay up. Otherwise, they will turn it off again and you need to do more work to clean the system(s).
    I would not bother to wipe and reload unless Comcast can tell you more than that you MAY have a bot. Directing you to a webpage with very generic information and a links to a partner site with pay for services is not a way to deal with the possible problem. I am sure that they have had a lot of scared customers needlessly buy the service/product.

  16. Jordan – thanks for your response clarifying this. It was not clear in the text. Perhaps something indicating that it will only be shown in the webmail interface would help. It would also be advisable to include specific guidelines for the large number of your customers that certainly don’t use that account or have it forwarded elsewhere. As I’ve never once used that account in either my e-mail client or the webmail interface, I’m still not sure what to look for. I’d suggest screenshots on an HTTPS EV site to further educate your customers.

    I’d also caution you against stating that something can or cannot be faked by spammers or through other scams. That kind of bulletproofing requires a highly educated user base, which is just not a realistic expectation on the Internet.

    I really do want to commend Comcast on the program overall, and would welcome more transparency to the standards applied and timelines involved. (For example, how is bot activity determined? How often are your network signatures updated? How long does a customer need to exhibit such behavior to warrant a block?)
    Finally, I strongly advocate a much more aggressive stance. Customers affected by bots need to be fully cut off from the Internet, save for activity connected to cleaning up their messes. Letting them continue to run rampant with a kind warning doesn’t really make things much more difficult for the bad guys.

  17. It appears there is a misconception about our Verified Email program – a function of our Xfinity Connect webmail. The Verified Email icon is only visible in the webmail interface and replaces the typical envelope seen in a message list (the list of all emails read and unread in an inbox).

    The Comcast Verified Email icon is designed so that it sits outside of the email itself and is intrinsic to the webmail client. Therefore it is not something that spammers can fake.

    I hope this helps to clear matters up for your readership.

Leave a comment

Your email address will not be published.