How Not to Tell People Not To Click On Sketchy Email Links (and lifehacking: Jack D. Ripper was right after all?!)

Evernote got hacked. When it came time to warn their users about the hack — including a note cautioning against the inevitable phishing attacks to follow — they made one critical mistake. The “we’ve been hacked, don’t click on links” email contained clickable links that looked exactly like phishing links might, with the hyperlink target “links.evernote.mkt5371.com”…

In some clever alternate universe, anyone that clicks those links would automatically get the Evernote Internet Safety Refresher Course delivered to their inbox.

Lifehacking: okay Dr. Strangelove fans… it turns out Jack D. Ripper may have been right after all. A very conclusive meta-analysis indicates that flouridating the water supply “significantly” lowers IQ: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3491930/

Based on a conclusive meta-analysis of Russian dashcam footage, I’m not sure that vodka is the solution, though.

http://nakedsecurity.sophos.com/2013/03/03/evernote-reset-password/

“After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach – and letting them know that it has decided to reset all passwords.[…]

the same email that Evernote tells users not to click on ‘reset password’ requests sent via email, they have clickable links.

And what might make some recipients pause for thought is that the links don’t go directly to evernote.com, but instead link to a site called mkt5371.

Now, before you panic that someone is attempting to phish your Evernote credentials with a craftily-designed email, just relax.

Evernote and emailThis was just carelessness on Evernote’s part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users.

The links in this case *do* end up taking you to Evernote’s website – but go silently via Silverpop’s systems first.

Presumably that’s so Evernote can track and collect data on how successful the email campaign has been.

That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to “Never click on ‘reset password’ requests in emails – instead go directly to the service”.

You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.”

Advertisements
%d bloggers like this: