Marriotts breach response is so bad, security experts are filling in the gaps at their own expense

Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations had been stolen from its Starwood database.

One problem: the email sender’s domain didn’t look like it came from Marriott at all.

Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.

But what makes matters worse is that the email is easily spoofable.

Recommended For You

Tube Sensei Resellers Rights

Resellers rights to sell Tube Sensei Basic and Pro editions as your very own product and keep all of the money.

Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.

Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.

Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.

“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”

Marriott says 500 million Starwood guest records stolen in massive data breach

Recommended For You

Lifestyle Design PLR - Upsell

Brand New, High Converting Biz in a Box You Can Sell As Your Own And Keep 100% Of The Cash In Your Pockets For Years To Come

* NEW * Chinese Energetics Home Study Course

Gain The Ability To Reduce Or Eliminate Pain And Stress At The Quantum Level

Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.

With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.

Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.

Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.

“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.

A spokesperson for Marriott did not respond to a request for comment.

A year later, Equifax lost your data but faced little fallout

Recommended For You

SpyFy - FB Inferno Lifetime Access

Powerful WebApp For Crushing It With Ecommerce, T-Spring,

Lifestyle Design Accelerator - Platinum

Build a lifestyle micro-business, with LDA's tools, training, and templates

IFL - GOLD Funnel Club - LITE (Discount)

Instant Funnel Lab - The Newbie-Friendly, Cloud Based Software That Creates High-Quality Sales Funnels With Done For You Products You Can Sell In Just 60 Seconds

Original Article : HERE ; This post was curated & posted using : RealSpecific

Thank you for taking the time to read our article.

If you enjoyed our content, we'd really appreciate some "love" with a share or two.

And ... Don't forget to have fun!

Recommended Products

PCA - Social Software Bundle

Penny clicks academy shows you how to get clicks from facebook for LESS than a penny. Dozens of newbie testimonials, even more success stories, and honest to goodness product that you can count on.

Smart Funnelz Platinum PRO

Create Unique Funnels That Guarantee To Sky Rocket Your Opt-In Rate And Generate Leads, Sales and Commissions on Demand!

Leave a Reply