Last week, Marriott sent emails to millions of people admitting that there was a massive data breach in its Starwood subsidiary’s database. The problem, though, is that the email domain they sent it from doesn’t look like it is from Marriott at all.
The notification email came from email-marriott.com. There is no HTTPS certificate for the domain, nor does it load, which makes it look like a fake—something that is common when data breaches occur as hackers use phishing attacks to prey on affected customers. In this case, the domain is actually real, but security experts everywhere turned to social media to voice their dismay at Marriott’s carelessness.
Here’s an example of a spoofed domain…email-marriot.com. Take a close look; it looks legitimate, right? Take a closer look and you’ll notice that Marriott is spelled wrong. Unless you are really paying attention, you probably wouldn’t notice. You’d click on the link, visit the site, and likely input the details asked of you.
The misspelled domain in the example above, however, is actually real. TechCrunch reports that it was created by Jake Williams, the founder of a company called Rendition Infosec. Williams said that he registered this domain to make sure that a scammer didn’t register it first. He explains that he has seen this time and time again, especially after the big Equifax breach last year. Back then, many fake sites were created to trick people seeking information on the breach.
Here’s an example of a fake site after the Equifax breach: securityequifax2017.com. The real site was equifaxsecurity2017.com, and even Equifax’s support team got confused and sent people to the wrong address. From this incident, companies vowed to learn from Equifax’s mistakes and not set up random domains to help affected users.
Unfortunately, Marriott seemingly did not learn. Even security experts, like Troy Hunt, are calling Marriott out. Hunt actually tweeted Marriott to bring light to this mistake. It turns out Marriott has been using this domain since the beginning of the year when it asked its customers to update passwords for their accounts.
Other security experts are also stepping in to help Marriott customers from falling victim to scams. Nick Carr, for instance, is one of them. He works for FireEye, a security company, and also registered similar domains to keep them away from hackers.
He wrote on his site that it is important to watch where you click. Though all of this could have been avoided if Marriott would have sent the email from its own domain, it’s a good lesson for everyone. Never trust a domain you don’t know and do your research before you click on any random links or hand over any information. The telltale signs are
The big takeaway: Be wary. Hackers go all in to target people after breaches—this is often the most dangerous time.
What does Marriott have to say about the incident? So far, there has been no response from the hotel chain.