I got an email today that claimed to be from "noreply@ McAffee.com". Now this could have been spoofed, and I will try to inspect the Internet header for evidence.
The content was HTML, and it contained the following:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<P>McAfee Labs has identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for a cyberattack that struck Google and a rapidly growing list of other companies. McAfee is working with our customers, partners, and the public to educate them on this dangerous cyberattack known as "Operation Aurora". <BR><BR>We have set up an informational web page </A>to get the latest information at <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1924&elq=59870a1c4b4d4eada6d5b489a6f44887">www.mcafee.com/... you will find: <BR><BR>>> <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1925&elq=59870a1c4b4d4eada6d5b489a6f44887">A detailed document</A> to help you determine if you've been affected<BR>>> <A href="http://app.en25.com/e/er.aspx?s=927&lid=1926&elq=59870a1c4b4d4eada6d5b489a6f44887">An executive-level video briefing</A> explaining Operation Aurora from the McAfee Office of the CTO <BR>>> Evaluations of McAfee products to help ensure that you are protected<BR>>> Links to McAfee security professionals and other resources to help you protect your organization from Operation Aurora and similar attacks in the future<BR><BR>We invite you to visit this site frequently for updates on Operation Aurora. In addition, we will be hosting the Hacking Exposed live webcast on January 21, 2010 at 11 AM PST / 2 PM EST which will feature the latest up-to-date information on the Operation Aurora cyberattack. <A href="http://now.eloqua.com/e/er.aspx?s=927&lid=1887&elq=59870a1c4b4d4eada6d5b489a6f44887">Register Now.</A><BR><BR>Sincerely,<BR><BR>George Kurtz<BR><BR>WW Chief Technology Officer & Executive Vice President <BR>http://www.twitter.com/george_kurtzCTO<BR><BR>McAfee, Inc.</P>
<img src='http://app.en25.com/e/FooterImages/FooterImage1.aspx?elq=59870a1c4b4d4eada6d5b489a6f44887&siteid=927' border=0 width=1px height=1px></BODY></HTML>
<P><FONT size=1>To manage your email preferences, please go </FONT><A href="http://now.eloqua.com/sl.asp?"><FONT size=1>here</FONT></A><FONT size=1>.<BR><BR>McAfee, Inc.| 3965 Freedom Circle | Santa Clara, CA | 95054 | 888.847.8766 | </FONT><A href="http://www.mcafee.com"><FONT size=1>www.mcafee.com</FONT></A><FONT size=1> <BR><BR>McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2010 McAfee, Inc. All rights reserved.</FONT></P>
The link in the email that claims to be McAffee actually goes to eloqua.com then redirects to McAffee.
Is this a legitamate email, or is this an attempt to actually lauch an Aurora attack by claiming to spread knowledge about Aurora?
McAffee should not ever, I think include a redirect in an email link.
Anyone know what is up?Message was edited by: April Jacobs to remove email identity information from customer provided URL on 1/20/10 9:03:34 AM CST
This is a legitimate email. I believe Eloqua is the service McAfee uses to send communications to some of our customers.
I will make sure your feedback is routed appropriately. Thanks!Message was edited by: April Jacobs on 1/20/10 8:57:28 AM CST
Hello, Johnment -- I can fill you in.
As do many corporations, McAfee has a hosting relationship (for several years) with Eloqua for email distribution and newsletter subscription management. With our own IT resources focused on our business, it makes sense to go with an expert in this area. Prior to our agreement, McAfee put Eloqua through a meticulous security screening and risk & compliance process.
The Eloqua system attaches click-open tracker code to URLs automatically for metric purposes. The information is private -- by McAfee and for McAfee alone. While these trackers have been ignored by our customers when the topic is a conference such as FOCUS '09, during a threat incident like "Operation Aurora" customers have a heightened sensitivity to emails and any link that is unfamiliar, with good reason.
McAfee is aware of these concerns; customer feedback has been passed on to our internal Eloqua management team to review our in-email linking guidelines, and to work with Eloqua to adjust the system. And, as the manager for the new customer Support Notification Service (SNS) that recently was launched and utilizes Eloqua, you can be sure that I am checking and adjusting the SNS system for concerns such as yours.
Thanks very much for the chance to respond ~