news

A Domain-Specific Lesson from the Marriott Incident

by The Spamhaus TeamDecember 12, 20184 minutes reading time

The headlines have come thick and fast over the past few weeks in relation to the ‘Marriott Hack’. We all know the story: 500 million guest reservations from its Starwood database have been stolen. There are numerous lessons to be learned in regards to responding to this kind of incident, one of which is the importance of 'domain usage' when sending out emails.

What’s in a domain name?

On 30th November 2018, Marriott began informing customers that a breach had taken place. I actually received my email notification on 6th December, but let’s give Marriott a break - sending out 500 million notification emails can’t successfully be achieved in one go. What is interesting, and problematic, is the domain name they used to send out these notification emails; @email-marriott.com.

Why is it problematic?

As Tech Crunch highlighted in this article “the email sender's domain didn't look like it came from Marriott at all’. Marriott’s domain name is marriott.com, not email-marriott.com. In an environment where the public’s faith in Marriott's digital security is rapidly diminishing, receiving an email in which the sending domain isn’t easily recognized is far from ideal.

More to the point, appending common words to a recognized brand name is a practice often used in phishing emails. Just take a look at these phishing domains, all of which have been active over the past few days:

paypel-service-account.ga
support-netflx-team.cf
support-verificationaccount.com
service-capitalone-com.tk
support-appleinc.com

None of the above domains belong to either Paypal, Netflix, CapitalOne or Apple. As noted by Jake Williams and Nick Carr in the TechCrunch article, domains that look like a known brand but are slightly different come across as suspicious to many users. Combine this with an email subject line that mentions a security incident and it's no wonder that the receivers of these emails think twice before interacting with them, or even worse, taking the message seriously.

Domain reputation

Moving on from the recipients' perception of the domain name, consider the deliverability implications of sending an email to 500 million addresses from a domain that doesn’t have a strong reputation.

Domain reputation is crucial to sending emails without hindrance. A legitimate business builds its domain reputation in a number of ways, from the length of time their domain has been registered to using the domain name to send emails to engaged users, not forgetting real contact details being listed on their website. The list of reputation building factors goes on, however, a key one is the age of the domain.

In the case of "marriott.com", the domain was registered in 1993. That’s fairly impressive because it was only in 1993 that CERN defined the Web protocol and provided free code to all users. However, compare the Marriott's original domain to "email-marriott.com", which was registered 21 years later in 2014. Then, add into the mix the fact that the newer domain name begins sending out an irregular, mass email.

This set of circumstances is going to raise a big red flag and not only leads to a greater probability of emails being blocked but also, as previously mentioned, increases the likelihood that the notification email will be perceived as phish by the very people it was designed to protect.

How can the problem be avoided?

In principle it’s simple: If for technical reasons the main domain can't be used, create and use a subdomain. In the Marriott’s case using “notification.marriott.com" or some similar wording would have been appropriate. By creating a subdomain, the digital reputation and real-world recognition that has been carefully built-up around the original domain is preserved. All the red flags that would have been raised around a new or lookalike domain are circumvented, and it is immediately clear to anyone that the message is really from who it claims to be.

What’s the lesson learned?

Whilst there may be more work in creating sub-domains, using them builds your reputation out of one of your brands biggest digital assets: your main domain name. By using this as a 'trust anchor' you ensure that both man and machine can easily verify identity. This helps inbox placement, recipient engagement and most importantly it avoids confusion and suspicion on the receiving end of the message.