Phishers gather information by impersonating a bank or other trusted party, usually by sending links in e-mail. The links go to a site they control and then they gather personal information or login details because the user has been tricked into thinking they are legitimate.
This fits that pattern of phishing: it is e-mail, it is unexpected, it solicits personal information that Curve already holds (I passed KYC a while ago), and the link goes to a third-party website.
To counter phishing, Curve said all such interactions would be in the app: https://twitter.com/AskCurve/status/1344332931167379461 . Following your own guidance, therefore, Curve will never send me an e-mail soliciting information and thus this e-mail is phishing.
E-mail from addresses can be forged. Sending a forged e-mail from support@imaginecurve.com is not hard. For example, your SPF records allow a broad range of Google cloud and AWS IP addresses:
host -t txt imaginecurve.com
imaginecurve.com descriptive text “MS=ms19255557”
imaginecurve.com descriptive text “atlassian-domain-verification=Es6HjAjsMLWh/ETspitTbzEzt2MbEM9gEONq7JyikTvkuDKGDpvePC5taffUe+V6”
imaginecurve.com descriptive text “google-site-verification=4BUU9xFVEIM16pUiOT-L9IyErZGsc9vaIax3VBWfHr4”
imaginecurve.com descriptive text “google-site-verification=4KZ8wkx_RPyiS1dhK4_eh3YKXrRA87nDnpCZHV6Vl8Y”
imaginecurve.com descriptive text “google-site-verification=6tEhTCNjJ1YlhrXEShXs8-pk0wDuhSgeqC81XE9uSK4”
imaginecurve.com descriptive text “onetrust-domain-verification=bb1820074bce41b0bc39ea313d9eb78a”
imaginecurve.com descriptive text “status-page-domain-verification=cl7704tmbqqq”
imaginecurve.com descriptive text “v=spf1 include:_u.imaginecurve.com._spf.smart.ondmarc.com -all”
host -t txt _u.imaginecurve.com._spf.smart.ondmarc.com
_u.imaginecurve.com._spf.smart.ondmarc.com descriptive text “v=spf1 ip4:35.191.0.0/16 ip4:74.125.0.0/16 ip4:173.194.0.0/16 ip4:54.240.0.0/17 ip4:209.85.128.0/17 ip4:72.14.192.0/18 ip4:198.2.128.0/18 ip4:216.198.0.0/18 ip4:23.251.224.0/19 ip4:64.233.160.0/19 ip4:108.177.96.0/19 ip4:172.217.0.0/19 ip4:172.217.128.0” “/19 ip4:172.217.192.0/19 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip4:23.249.208.0/20 include:_p.1.rdp1q3._u.imaginecurve.com._spf.smart.ondmarc.com ~all”
Most likely, all a phisher would need to do to impersonate support@imaginecurve.com and pass SPF validation is use the same cloud providers.
Getting a valid SSL certificate for a domain is easy. All you need is LetsEncrypt. A valid SSL certificate means that communication is more likely to be with the owner of the domain. That communication with onfido.com is encrypted means very little if there is no authentication that onfido.com is associated with Curve.
Please, please follow best practices:
- If you’re going to post guidance to your users about how to avoid phishing, follow it https://twitter.com/AskCurve/status/1344332931167379461 . In this case, that means doing all interactions in the app because that’s what you said you would do.
- Never send e-mail soliciting personal information.
- If you must send an e-mail with a link, that link must go to a domain owned by Curve. Never by a third party. Setting up a Curve landing page is not hard.
Average users are not going to Google around to make a decision about clicking a link or not. They do not have a list of your partners memorized. Don’t tell me I can find an obscure blog post mentioning the partnership.
If you don’t follow best practices, you are training users to accept e-mails as legitimate, which makes them a target for phishing campaigns. Costing users and you money. And in the UK at least, training users to be phished through your poor e-mail practices makes it more likely Curve will be responsible for any losses incurred.
The correct practice here would have been to send an interstitial to the app referring the user to Onfido. Or a chat message. Perhaps send an e-mail to the user altering them that they need to login to the app to see a message.
Curve’s practices and responses on this thread suggests Curve lacks staff with cybersecurity knowledge. Which should worry everybody about Curve’s security, not just about phishing.