It looked like a Citrix ShareFile phishing attack, but wasn’t

If you're a company contacting your customers via email, please make sure it doesn't look phishy.

It looked like a Citrix ShareFile phishing attack, but wasn't

Guest contributor Bob Covello isn’t happy about a password reset email that Citrix has been sending its customers.

Over the last few days, many people received an email from Citrix Systems, requesting them to change their passwords. Many wondered if this was the result of a breach. I wondered what they were thinking when they sent these messages.

Here is a screenshot of the email Citrix ShareFile users received:

Sharefile email

There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts. In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFlle. We believe this is an important step to continue to help our customers use our solutions securely.

To reset your password, please click here.

For help about how to reset your password, please click here.

Most people who contacted me wanted to know if this was a phishing scam. My immediate response was “of course it is!” Everything about this message violates everything we teach about security:

  • The message arrived unsolicited;
  • The message is very generic;
  • The message contains links.

The only thing missing from the message is an urgent warning and a threat. In the land of notifications, Citrix certainly got it wrong.

To get it right, all that Citrix needed to do was to stop after the sentence that reads “Users will need to reset their passwords when logging into ShareFile.” This would force a person to go to the Citrix ShareFile site on their own to reset the password.

Citrix posted a blog about the password reset on their site, but it was a bit late.

As always, please do not click on links in unsolicited messages. Visit the site directly to update your information.

Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

4 Responses

  1. Scot Jones

    December 5, 2018 at 3:38 pm #

    I use this service in my day to day job, its been a nightmare. I use their sync application which even with a password reset wont allow the application to log back in. Shambles indeed.

  2. brad foster

    December 7, 2018 at 6:23 am #

    It does look phishy but does it really matter. Either users think it’s a phish and reset via the website anyway or they use the link and it works fine. No danger either way?

    Or is it a problem because it could condition users to expect and trust emails like this when really we should teach that all emails like this are phishes?

    • Bob Covello in reply to brad foster.

      December 7, 2018 at 11:38 am #

      Brad:
      Yes, all messages that exhibit the characteristics of the Citrix message must be treated as a Phish. For example, all of the credential theft scams operate using those same methods.
      Thanks.

  3. Lani

    December 10, 2018 at 7:25 am #

    I received that email from ShareFile Support and I’ve never ever used, installed or even heard of Citrix ShareFile before. How would they have gotten my email address to send this message to when I’m not a registered user?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.