Phishing attempt at Outfittery: data leak at the clothing retailer?

Contents

The Berlin-based company Outfittery advertises with an innovative concept: customers receive outfits individually tailored to them instead of individual pieces of clothing. However, since the beginning of December, there have also been phishing attempts. These refer to official Outfittery domains and apparently originate from the company's own systems. A personal investigation.

In the run-up to Christmas, all sorts of newsletters and offers arrive in the digital inbox: a retailer wants to point out its order deadlines before the holidays, an online shop has gift ideas for loved ones, and a third asks for an urgent update of payment details. So far, so normal, but wait: something is odd about the email from Outfittery.

Suspicious email from a legitimate source

The appearance of the message, which landed in my inbox on December 5th at 9:20 AM, is strongly reminiscent of Outfittery's design language: fashionable, coordinated outfits move against a pastel-colored background. In English, I am – addressed by my first name – and made aware of a problem with my payment method and asked to make an update via a blue-marked link. Only then can my membership continue.

Except: what membership? After all, I never really used the service but only put together an outfit once and therefore never stored any payment details. The email was also addressed to the email address linked to my Facebook account – for real customer accounts, I use individual addresses.

Misled by the CRM?

A closer look at the URL behind the blue button, but also all other links in the email: It points to http://lnk.stylist.outfittery.com/ls/click?upn=<long string of characters>, so it can also be attributed to the company, which operates internationally. That the tracking link is accessed via an HTTP URL and thus apparently belongs to the last unencrypted websites in the world – is a given. However, when I click, I land in an unexpected place: first, the HTTP is redirected to an HTTPS link (I immediately feel much safer), but then to the cryptic address https://l00ginse1tuponline.net/marketstorep/. There, there was initially a phishing page (registered on December 2nd), currently the blocking page of a hoster called CloudAccess.

Apparently, criminals had at least temporary access to the system with which Outfittery creates tracking links for its marketing emails. They created a link that masks its true destination and gives it an air of legitimacy – and this continues to this day: even on December 18th, almost two weeks after the email, the malicious redirection still works.

The headers reveal it

And where did the email come from? The long-suffering mail server veteran instinctively reaches for Ctrl-U to open the source view and examine the mail headers. And they show: the mail was sent via a server that is considered a legitimate source of emails from Outfittery. This is proven by the valid DKIM headers. The reverse lookup matches the DNS entry; the IP belongs to the mail service provider Twilio (formerly Sendgrid). Furthermore, the email provides no indication of simple header spoofing tricks, as spammers have been using for decades.

After the analysis, it becomes clear: an email was sent via Outfittery's technical platform; it contains a link to the company's official domain but refers to a phishing link. This indicates a security incident. Several readers who reported similar emails to us over the past week also assessed the situation this way. Thus, a single case seems unlikely, but the source of the incident remains unclear. Was there a breach into the systems of Outfittery or the mail service provider? Could personal data have been exfiltrated?

Outfittery goes silent

It was time to ask Outfittery. On December 9th, I asked the company the usual questions: What was the reason, what data was compromised, and what countermeasures did Outfittery take? The company did not respond to my inquiry to the support and data protection address. A week later, I followed up and added the presumed address of the data protection officer of the parent company, dpo@outfittery.com, to the distribution list. This address responded to me immediately, with a non-delivery message.

Otherwise, there was silence, although I requested a response by yesterday, December 17th. Outfittery is also hard to reach by phone: at the Berlin phone number listed in the privacy policy, the interested editor only hears an answering machine message stating that telephone support has unfortunately been discontinued. The company recently changed ownership: In March, the CEO of the Spanish company Lookiero announced a merger together with Julia Bösch, the founder of the Berlin company. Bösch and the authorized signatory resigned from the management in August of this year, which has since been in Spanish hands.

Nevertheless, it remains unclear what exactly happened – our readers also report not having received a response to their inquiries to the company. Only an inquiry to the Berlin data protection officer can now shed light on the matter.

(cku)