Tuesday, April 26, 2016

Legit or Phishing Scheme?

Phishing Magnifier Represents Malware Hacker And HackedSeveral readers have alerted me to a possible phishing scheme masquerading as an email from Ancestry.com. Reader “T” reported that he received the following message:

Hi Removed,

Ancestry has moved to a brand new support platform. By doing so we have created a more powerful set of tools as well as added some key features to aid you with any of your future support needs. To take part in this new experience; you will need to reset your password by clicking on the following link: https://support.ancestry.com/login? [he removed the rest of the link].

Your Username is: Removed

Ancestry Support

I assume he substituted the word “Removed” for his username, but for illustration, let’s assume it actually said “Removed.” Darlene in Lakeview reported that her email really did contain an incorrect username.

Sandra Gwilliam reported that the email came from “ancestrysupport@ancestry.com via nt6vbkyd21ca.15-eq03eag.na22.bnc.salesforce.com.”

There are a number of red flags that rightly trigger suspicion about an email. (This example contains several.)

  • Purports to be from one address when it comes from a different one. (In this example, the email claimed to be from ancestry.com but was actually from salesforce.com. That’s suspicious.)
  • Does not state your username. That’s a big, big red flag. Genuine phishing emails generally don’t know your username. Purporting to know your username, but stating it incorrectly should throw perhaps an even bigger red flag.
  • The email seeks confidential information, such as username, password, birthdate, address, social security number, or other financial information. Be careful. I investigated one phishing website that sent off your information as you typed it. It didn’t wait for you to submit the information. The first question was pretty safe: email address. The second seemed so as well: First and Last name. Next, address. Somewhere down the page it asked for credit card. Finally, it asked for the number at the bottom of your checks. By the time you became suspicious, they had already stolen valuable information about you. You didn’t have to click Submit or Send or anything. (This example seeks your password, making it suspicious. No one told me what happened when they clicked the link.)
  • The email is unexpected, or isn’t logical. In this example, you might have tested the situation by typing www.ancestry.com into your browser and try logging in. If you are not prompted to change your password, then the email doesn’t make sense.
  • Your email program indicates that the link goes to someplace different than what is shown. This is another big, big red flag. Never click a link in an unexpected email without comparing the two addresses. More on that in a minute. (I don’t know if that was the case in this example.)

Let me teach you how to do the last one. You should have received an article on Sunday titled “Suspicious Links.” It contains one suspicious link and three non-suspicious links. I sent it separately because some of you may have email systems that blocked the email. (Kudos to those email systems.)

Hover over each link and look for a little help box that shows where the link will actually go. (See the screen image, below, from Gmail.) If what is displayed in the email and what is displayed in the little help box are different, that is a big red flag. Don’t click the link. The link is not what it claims to be. The email sender may be trying to deceive you. The link may show the address of your bank but send you to a malicious imposter site that tricks you into giving up your username and password. Go ahead and click “www.familyesarch.org.” Did you end up on FamilySearch.org? 

Hover over a link in a browser-based email program to see the actual destination in the bottom corner.

Some programs popup the actual link somewhere other than the lower corner. Current versions of Microsoft mail programs place it near the link itself:

Hover over a link in some email programs to see the actual destination near the link.

Be careful. The two addresses may look very similar. Take for example, these addresses:

5. http://www.familysearch.org
6. http://d.ru/www.familysearch.org

Links 5 and 6 are not the same. Don’t trust the link.

If you are confused, stop here. If not, let me get into additional details. The absence of http:// is not a concern. And http:// versus https:// is not a problem. Some addresses work equally well with or without them. Links 7-9 are all equivalent.

7. www.familysearch.org
8. http://familysearch.org
9. https://www.familysearch.org

No Address Displayed

Sometimes an email may not display an address at all. It may say “Click here to change your password.” How do you evaluate the safety of the link? Hover over the link and look at the address. If the domain shown by the email popup ends with a website you trust, then you can trust the link.

Recognizing the domain can be tricky. The domain is the part between the double slash and the next slash. The domain of link 3 is ancestryinsider.blogspot.com. The domain of link 5 is www.familysearch.org. The domain of link 6 is d.ru.

Assuming the only websites you trust are FamilySearch.org and Ancestry.com, if you found the following URLs in an email, which can you assume to be safe?

       10. http://www.ancestry.org/ancestors-and-collateral-relatives/ – No. The domain ends with .org, not .com.
       11. http://www.ancestrydna.com – No. Doesn’t end with ancestry.com. (Yes, in real life we may know this domain forwards to Ancestry.com, but some people may not know that before clicking. For purposes of this exercise, we are only clicking domains ending in Ancestry.com or FamilySearch.org.)
       12. https://support.ancestry.com/s/question/0D51500001jKXlXCAW – Yes. Domain ends in ancestry.com.
       13. http://ancestry.custhelp.com/cgi-bin/ancestry.cfg/php/enduser/sab_main.php?offerid=0:679:0&p_sid=_JT1V*Vj – No. BTW, this is the old Ancestry Help system.
       14. http://ancstry.me/1rpVcWU?ancestry.com – No. The domain is ancstry.me
       15. https://www.smartrecruiters.com/ancestry/89511329 – No.
       16. http://interactive.ancestry.com/7667/4297342_00050/34779150?backurl=http://ancestryinsider.org – Yes, according to the rules we’ve defined here. Actually, this URL is bad because it exploits an Ancestry security hole. But I won’t get into that.
       17. https://dcms.lds.org/delivery/DeliveryManagerServlet?dps_pid=IE95837&from=fhd – No. This is a FamilySearch book, but it is hosted on a website outside our trust list (for this exercise).
       18. https://getsatisfaction.com/familysearch? – No.
       19. https://familysearch.org/ask/salesforce/viewArticle?urlname=Add-Photos-Documents-or-Stories-of-a-living-person-to-Family-Tree&lang=en – Yes.
       20. http://v.ht/familysearch_org – No. Domain is v.ht.

Legit or Phishing Scheme?

While you were right to be suspicious of these emails, actually, they are legit. Ancestry is switching to a new help system that doesn’t integrate with your Ancestry username and password. You have to create a new password on the new system. Link 12 leads to this help message:

Hello Thomas,

Just to clarify, this is not a phising attack or scam. We have sent out emails to notify our members of the new Ancestry Support page as it requires our members to reset their password. Let us know if you have any further questions, and we hope you enjoy!

Karlie B.
Ancestry Community Moderator

I tried out the new system and it was a hunk of junk. I registered and it sent me a verification email—the one you all have been getting—that sent me to a webpage that sent me a verification email that sent me to a webpage that sent me a verification email… There was no link to get help. “Contact your administrator.” Fail.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net.


  1. I don't know what happened to you, but I had no problem creating my account and signing in. It's a much cleaner interface for customer support. I'd suggest trying again and updating this post. Until I got to the very end I didn't see your explanation that it is NOT a phishing email.

  2. This was a very helpful post. Thank you.

  3. Best thing is to always open a new page and type in the address where you want to go.

  4. I thought it was suspicious as it went to an old email address I rarely use AND had the wrong user name for me. I called Customer Support and since they weren't aware that the email had been sent out, asked me to forward it to them. I got the response that it was legit. I haven't followed the directions yet as I figured there would be bugs they needed to work out. Wish they had communicated with their Customer Support personnel - they needed to know about it.

  5. Your comment "it was a hunk of junk" is grossly unfair. It's nowhere near that good. "Abomination" would be more the word I'd choose.
    On the other hand everyone knew the change was coming, there was a banner across the top of the main support page for a month. The email shouldn't have startled anyone.