Beware customerfeedbackpanel.com

I was duped by a sophisticated scam. I’m embarrassed. But not too much. I don’t get duped by unsophisticated scams. This one was relatively harmless, which is why flags didn’t go up in my mind. Anyway, here’s my confession and story, followed by lessons learned.

Thursday I was surfing the web on my Chromebook. An official-looking window from customerfeedbackpanel.com claiming to be an Xfinity survey popped up in my browser. I’m an Xfinity / Comcast customer, and I jumped to the conclusion that Comcast was hijacking my browser, holding it hostage until I responded. Somehow I got it in my head that I had to take the survey before my internet connection would be released so I could surf. (I know, I know. Stupid. And shame on me for not giving Comcast more credit. Their customer support has gotten better year after year. After talking with Tier 2 support out of their Philadelphia security office, I won’t make that mistake again. Anyway…) I played along and stayed in my stupor because no flags went off in my head right away. I wasn’t asked for private information. I remember answering that I was male, and maybe I answered my age category. The other questions were related to Xfinity service. A flag only went off at the end of the survey. That’s when I did take screenshots (see the third lesson below.

After I took screenshots I Twittered, complaining first to Xfinity and then to Comcast. Kudos to Comcast for being clueful about prompt customer service via Twitter. Via DM I was directed to customer security assurance at 1-888-565-4329. (Thanks, CE and Kim!) I didn’t make time to call until this morning, when I talked to Jaden. He was very helpful, pointing me to the Xfinity website branded Constant Guard. The Alerts page (under GET HELP) is especially useful.

Lesson #1: use a service such as scamvoid.com. See http://www.scamvoid.com/check/customerfeedbackpanel.com:scamvoid-customerfeedbackpanel

That would have given me confidence to conclude it was a scam. I could have simply closed the window and gone back to my surfing.

Lesson #2: take screenshots of the survey. I like to live on the edge, so even if I knew it was a scam, I might have been in the mood to explore it. Taking screenshots all along the way would have made it easier to show Comcast what the im\ostor was up to.

Lesson #3: take screenshots after flags go up. This I did:

Lesson #4: if you have reason to suspect you’ve been compromised, check your modem’s logs for suspicious activity. I bet 99 out of 100 of my readers aren’t going to know how to do that. So ask your internet provider for advice. I called Comcast security at 1-888-565-4329. Unfortunately, Tier 1 agents Paul and Sana both told me to reset my modem. That doesn’t help. The Tier 2 agent was brilliant, though.

Conclusion: Beware Botnets. Read below for some technical details about why I suspect customerfeedbackpanel.com is collecting IP addresses. The most likely reason someone is collecting IP addresses, it seems to me, is because they are looking for insecure internet devices to add to botnets. I say in the fourth lesson above to get advice from your internet provider if you suspect you’re at risk. I don’t think it’s prudent to share publicly what the Tier 2 agent told me, but if you reach out to me I’ll be happy to discuss this subject in private. Given the heightened awareness about internet security with the Dyn attack last month, and the U.S. government going surprisingly public about cyber warfare with Russia, we should all become more alert about the role we all play in internet security, particularly botnets.

Appendix

Here are some technical details I may write more about later.

screenshot-2016-11-05-at-10-52-49
Browser History

Seeing that this started when I visited WordPress, I’m wondering if that site had something to do with this incident. ¯\_(ツ)_/¯

Here’s most of the text of the offending URLs.

briana.tnctrx.com/tr?id=01dbf43a8e97868f7b866f43f93b051394933aa61b.r&tk=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwdWIiOiI1MGQwMzJhMzc1ZmI5MWRhN2Q5NTRiMWEiLCJ0cyI6IjExMDQwNDA2IiwiZCI6Im5ld2F0bGFudGlzLmNvbSJ9.yfuIZ524jAGOUqYps1J4sG62UeM_GynpKoUw2OHWhZo

zl1.zeroredirect.com/zcvisitor/202bb534-a244-11e6-9a35-06a3c0ce8cef?campaignid=0f9c1570-90b0-11e6-8eb3-0e855f2e0669

zl1.zeroredirect8.com/zcredirect?visitid=202bb534-a244-11e6-9a35-06a3c0ce8cef&type=js&browserWidth=1100&browserHeight=920&iframeDetected=false

Note the specific fields sent to the scamming website. This can’t be good for privacy:

customerfeedbackpanel.com/chrome_survey/index_us1.php?ua=Mozilla%2F5.0%20%28X11%3B%20CrOS%20x86_64%208530.96.0%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F53.0.2785.154%20Safari%2F537.36&browserversion=Chrome%2053&city=___&country=US&device=DESKTOP&isp=Comcast%20Cable%20Communications%20inc.&ip=___.___.___.___&os=Linux&osversion=Chrome%20OS&browser=Chrome&target=india-vis-NkwwvQla&type=DOMAIN&match=&voluumdata=BASE64dmlkLi4wMDAwMDAwMy1kZGQ0LTQ0NzktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjI4MGZhMDAwLWEyNDMtMTFlNi04MmM1LTdmZjRhODJhODFlZF9fY2FpZC4uZmRjODdhMTItZmZkMS00MDNiLWFiNGItNjhjYzIzNzIwODcxX19ydC4uUl9fbGlkLi43YzBkMjJlMy1kNmI2LTQ1ZDQtYTE3OS04ZTE5OWVlN2U0NTJfX29pZDEuLjQzMWZiNDAzLTY0ZmYtNDA0Zi04YzgwLWYwZTRlZmExYTUxNV9fb2lkMi4uMGZlNmQ4ODUtMWRlZC00N2U4LThjMjctMDE4NWQxZmY4NWM4X19vaWQzLi44NDUxYzFlZi0wNzRiLTQxMWYtYTRmMC03OGJkZTgzOWY1MWRfX29pZDQuLjkwNDYwYzRlLTM3MjctNDM1Yi05MDA5LWIyNjA2NTM3ODI0MV9fdmFyMi4ubmV3YXRsYW50aXNfX3ZhcjMuLmluZGlhLXZpcy1Oa3d3dlFsYV9fdmFyNC4uTk9OLUFEVUxUX192YXI1Li5ET01BSU5fX3ZhcjYuLmxhdGVyaXRpb3VzLWZhbGNvbl9fcmQuLl9fYWlkLi5fX2FiLi5fX3NpZC4u (redacted)

What concerns me most is that the URL embeds my IP. That is entirely unnecessary. The most likely reason someone is collecting IP addresses, it seems to me, is because they are looking for insecure internet devices to add to botnets. I say in the fourth lesson above to get advice from your internet provider. I don’t think it’s prudent to share publicly what the Tier 2 agent told me, but if you reach out to me I’ll be happy to discuss this subject in private. Given the heightened awareness about internet security with the Dyn attack last month, and the U.S. government going surprisingly public about cyber warfare with Russia, we should all become more alert about the role we all play in internet security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s