Ok, now I’m in trouble. It seems that about the time of my post about eVil eCards and eVites our sales department was just about to use an eVite. Actually, for their intended purpose an eVite may well be the right tool for the job. How’s that you ask? The answer is context and clear communication.
The function sales will use eVites for is not going to be news to the recipients. That is to say that when they receive an eVite to attend a well described meeting that they are expecting an invitation to, the possibility of it being a malicious attack is virtually nil.
If I tell you that I’m going to be inviting you and a group of your colleagues to a conference on computer security in San Diego in July… that is pretty specific. When you receive the eVite that specifies when and where a function you expect to be invited to is you don’t really have to worry about the authenticity.
Contrast this with the fake eCards going around. It doesn’t matter if it is your birthday today. If I spam out 300,000 fake eCard emails there will be a lot of people who get them on their birthday. A title like “You have received an eCard from a friend” may seem in context since it is your birthday, but the fact that it doesn’t say exactly who it is from makes it very, very suspicious. Even if it said who it is from, but not what for (birthday), that isn’t enough. You need to know who the eCard or eVite is coming from. You need to know what it is for, and you need to know that it makes sense. So if a good friend sends you an eCard for your birthday, but it isn’t actually anywhere near your birthday; I recommend you contact your friend before you open the eCard and validate that they really did send it.
So, go ahead sales, you can send an eVite for an event that is specifically described in the title and that the appropriate people are expecting to be invited to. There’s always an exception to prove the rule. This is a sane use of an eVite.
I still prefer to stay away from things with such a high potential for social engineering abuse, but it doesn’t make all uses of the technology bad.
Director of Technical Education
Author ESET Research, We Live Security