Email marketing and the User-Agent-String
When What Looks Like Phishing Is Just Spam
Recently, DOIT received multiple reports of suspicious messages about student loans from email addresses with the format <emails@alert###.info>. The recipients of these messages marked them as phishing, but on careful investigation, we realised that these were legitimate. We therefore classified these messages as spam instead of phishing.
According to Phishing.org, “[p]hishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.” A third party company, CollegeLoans, sent these messages on behalf of these loan companies. Therefore, they are not malicious or criminal; instead, they are commercial.
Nonetheless, you might not have subscribed to receive these messages; hence they are spam. According to Cisco.com, “[s]pam is unsolicited and unwanted junk email sent out in bulk to an indiscriminate recipient list. Typically, ...sent for commercial purposes.” These emails are advertisements. They target university students since people in this demographic may need help covering tuition costs.
As mentioned earlier, these loan messages or advertisements originated from the third party company, CollegeLoan. This company is located in Puerto Rico. When you click on the link in the email, they will earn a commission whether or not you apply for the loans. It is business. It’s email marketing.
CollegeLoans sends out links on behalf of the following companies:
Sallie Mae Smart Student Loan
Discover Undergraduate Loan
Credible Student Loan
Earnest Student Loan
College Ave Student Loan
CommonBond Student Loan
We were also suspicious because clicking the link might take the reader to Amazon.com rather than the advertised site. Among the information webservers can collect when you click is something called a User-Agent-String. This string helps the website determine the version of the browser you are using in order to avoid trying to perform advanced functions on old browsers. Bad actors may use this feature to hide from browsers commonly used to analyze malicious sites. However, we determined that the link is not malicious.
We are not sure of the reason that CollegeLoans chose to use browser detection. However, it is not uncommon for developers/companies to add this feature to their code/applications. According to MDN web Docs, using a browser detection would depend on one of the following:
If you are trying to work around a specific bug in some version of a browser.
If you are trying to check for the existence of a particular feature.
If you want to provide different HTML depending on which browser.
Source:
https://www.phishing.org/what-is-phishing
To read more about user agents, visit https://towardsdatascience.com/the-user-agent-that-crazy-string-underpinning-a-bunch-of-analytics-86507ef632f0.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent
______________________________________________________________________________________________________________________________________
Receive any suspicious emails?
Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.
Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.
Posted: September 13, 2021, 2:45 PM