Hikvision Declares 'Never Click On Links In Emails'

By: IPVM Team, Published on Jan 09, 2018

Hikvision is stepping up its cybersecurity efforts with a clear recommendation - to never click on links in emails:

It is a surprising change since Hikvision has relied on links in their 'Special Bulletin' emails in responding to their own numerous cybersecurity vulnerabilities, such as:

And:

***:

** **** ** *********** to *** *** ********* communicates **** ****** *** that **** **** ******** links *** *********** ** ****** to ** ********.

Tradeoff ******* *** ********

** ******** ** *********'* previous ********, ***** ** emails *** *********** **********. ***** is * **** ** share *********** ****** **** can ** ***** ** copied *** ****** **** an *****. ***** ***** people *** ************* ** concisely ***** **** ***********.

The ****

*** **** ** ******** links ** ****** ** that *** **** *** not ** **** ** purports ** **. *** example, **** ** * link **** ******* ** be ** * **** to ****** ******** *** what **** ** ****** you *******, ** ** unsubscribe:

*******, *** **** ******** goes ** * ***** site ********** ** **** a **** ****, **** the ****** **** ***** to **** **** * TMZ ********* ****** ****:

** ********, *** **** contains **** **** **** the ****** ***** *** clicked **, ***** ***** verify **** *** ***** address *** ***** (*** potentially **** *** ********* does *** ******** *********** in ******** ******* *****):

Some ******** ***** ** ******* **** *****

**** ***** ******* **** options ** ****** ******* headers ** *** ********** data ** *** ******, or *****-** *******. ***** this ** *** * perfect ********* **** *** message ** **********, ********** emails ***** **** *****-** addresses **** **** ****** invalid (*** ** *********, or *** ** **** to **** ** ******* a ***** ****** ******** to *** ******). ** the ***** ******* ***** we *** *** **** this ***** ** ***** has ********** *********** *** Hikvision ** *** ****: and *****-**: ******. 

****** ******** * **** in ** *****, ***** over ** ** ****** the **** **** ** the ****. **** **** you *** ***** ********* if ** **** ** * domain *** ***** ******, such ** *** ******* below **** * ******* Alpha *****:

*********, **** **** ***** very ********** *** ******** to ** ********** **** "Canada ***** ******":

****, ****** **** ****** clicking ***** ** ******, copy ****, *** **** open **** ** * "private" ******* ****** ** tab (*.*.: ********* **** in ******, ******* **** in ******). **** **** prevent ** ******** *** ability *** ********** ***** to *** ****** ** other ******* ****, ** to *** ********** *******.

Vote / ****

 

Comments (24)

I check the sender address before I click on links. Just because it says "PayPal" in the email header doesn't mean it's from PayPal. When you see the full email address you can tell pretty quickly if the email links are safe or not. I also don't click on links from automated emails or mass emails, not because I'm afraid of spam I just don't want to get on a retargeting list. 

Additionally, you can check the email headers (in Outlook) by opening up the email in a new window and clicking the little arrow in the bottom right of Tags.

This will provide you with a lot more information on where the email has come from 

If a legit looking email comes in (from your bank or whatnot) then looking at the headers will quickly tell you if the email is bogus or not.

Uh, I clicked on a link in an email to get to this story...is that bad?

Uh, I clicked on a link in an email to get to this story...is that bad?

No, but we have noticed some recent suspicious activity on your account, so we need you to verify just the last 9 digits of your SS#:__________  ;)

 

Your survey is missing an option, "It depends".  Links provide vital references where it is applicable. Its true you should not click on links you do not feel certain about.  It does not mean you cannot click on a link.  Just be wary of seeing the URL before you click to assess whether it is going to the place you think it is going to.  Just to add. Hikvisions' list of do's/dont's seems correct I expect they have some sort of detailed training behind each and every point that articulates what that means.

I agree with you, generally, that clicking on links in emails depends on conditions / analysis of the email itself.

However, Hikvision's quote/statement is "Never click on links in emails". It would be logically contradictory to reply to a 'never' statement with 'it depends' because never is an absolute, i.e., not ever.

Bigger picture, Hikvision would do better answering real, direct, harder questions about their own cyberecurity, e.g., Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

It is unfortunate that Chuck Davis is showing more concern about generic cybersecurity practices (with blog posts over and over and over again) but little about Hikvision's own cybersecurity.

Blanket statement.  ya, that makes total sense.  How about just check the link and be smarter about your decisions to click it or not.  They are not that hard to figure out.  If it looks sketchy, don't click it.......easy as that. 

There was a Krebs article where he suggests pretty much what Hikvision is stating here. He warns against clicking on any links in emails, regardless of if you know the sender or not. I was recently sent an email from "Paypal" stating my account had some unauthorized activity, and I needed to verify my identity through a click-through link in the email. In all honesty, it looked 100% legit - even showing the lock symbol for a secured and certified webpage. But I chose to instead go to Paypal's main site through a different browser window, and logged in that way. Needless to say, the email I got was phishing scam. That was the first time I've come across something that well-made, including an SSL certification. I have no doubt it has fooled many before me, and will continue to fool many more. Hikvision's approach may be a little heavy-handed here, and is probably not necessary for most on this site, but as general announcement for some of their customers (the default name and password, port-forwarding, etc crowd) it may be something they should be thinking about.  

This just in... Hikvision’s Chuck Davis announces a crackdown on Nigerian 419 Scammers.

An excerpt from Davis’ announcement read, “If you get an email from a Nigerian prince asking you for your banking information, don’t do it, it’s probably a scam.”

Nigerian Prince Adegbite Adewunmi Sijuade could not be reached for comment, but an official from his office stated “I mean, his highness already has enough trouble getting people to respond to his emails in the first place, we really don’t need the Chinese government making matters worse.”

"Never" is a strong word. If you asked for something from a family member and received the requested link is different than Paypal requesting you to log in.

Awareness and common sense based on articles like this (and from Chuck Davis) will get you to "close".  To get to "never" will make you extremely slow .... like saying if you never  want to get hit by a car ... don't go outside.

rbl

How will you reset your password in Dropbox, Facebook, Google, Salesforce.com, or almost any other website/application in the world? 

Image result for car house accident

 

 

Still better than Knightscope

Image result for knightscope fail

We are getting off topic here a bit ;) Part of the reason our industry is accused of being old and behind the time (not entirely without justification) is that we are often a bit quick to dismiss innovation. Knightscope has had a tough run and I am certainly not ready to rent one however I am a cheerleader for any and all attempts to innovate. There are a few others coming on line .. each building off the other. We fell way behind on the IT evolution ... let's not repeat on the robot evolution :)

rbl

Why not right click and copy the link, then paste it into a text editor (notepad, etc) and look at the raw URL? That way, you can tell the difference between:

https://paypal.com.securityhelp.ru

https://www.paypal.com/security 

DON’T CLICK ABOVE!!!! Lol

A very simple trick to be aware of is URL masking, where a seemingly legit link is posted "in the clear" like these (hover over each to see what's hidden):

https://paypal.com/really-a-bad-link

https://paypal.com/pretend-good-link

 

That's why I said right click and "copy address", then past it in a text editor.

Jon, it is often the case that you are too smart and practical for the discussion.

Well, the hover function doesn't seem to work ... they're both actually good links. My point is that you can make a link look good upon a cursory glance when its really not.

I think they meant to say never to click on links in any of their emails, since they're investing all of their money in damage control rather than fixing the problems with their security. Good advice, but I never click on Hik messages anyway...

It took a security lab to figure this out? 

I don't think this is a "cybersecurity attack". More like trolling for the sick and elderly.  

Read this IPVM report for free.

This article is part of IPVM's 6,540 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Avigilon Social Distancing Analytics Tested on Aug 26, 2020
Avigilon released its social distancing analytics in response to the...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Honeywell Warns of Huawei, Advocates Futureproofing on Aug 31, 2020
For years, Honeywell has profited from OEMing Dahua and using Huawei...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...