Suspicious sign-in – online citizenship application / Connexion suspecte – demande de citoyenneté en ligne

[trumprefugee]

I started a citizenship application online a few days back and just logged in to review some items. Not long after, I received an email from
IRCC.DoNotReplyCIT-CITNePasRepondre.IRCC@cic.gc.ca regarding a suspicious sign-in to my citizenship application. Has anyone else ever gotten an email like this?? I am a bit suspicious because when viewing the headers, the message ID says @email.amazonses.com at the end. And gmail also flagged it as suspicious. However, the initial email I had received confirming the creation of my account has message ID @CA-central-1.amazonses.com

A web search for amazonses.com gives http://amazonses.com Simple Email Service (Amazon SES) - Amazon AWS so maybe IRCC is using Amazon's Simple Email Service for its online citizenship app?

This is the body text of the message:



Le français suit.
This is an automated message. Do not reply to this email.
Hello,
We noticed a suspicious sign-in to your online citizenship application with this information:

• Time: Thursday, June 10, 2021 05:12 AM UTC
• Device: Chrome 91, Windows 10
• Location: Ottawa, Canada

If this was not you, tell us here and change your password.

If this was you, tell us here.

Thank you,

Immigration, Citizenship and Refugees Canada


Il s’agit d’un message automatisé. Ne répondez pas à ce courriel.

Bonjour,
Nous avons remarqué une connexion suspecte à votre Demande de citoyenneté en ligne. Voici les détails liés à cette connexion :

• Heure: Thursday, June 10, 2021 05:12 AM UTC
• Appareil: Chrome 91, Windows 10
• Lieu: Ottawa, Canada

Si vous n’avez pas effectué cette connexion, veuillez nous en informer et changer votre mot de passe.

Si vous avez effectué cette connexion, veuillez nous en informer ici.

Merci,

Immigration, Réfugiés et Citoyenneté Canada

 

[armoured]

I started a citizenship application online a few days back and just logged in to review some items. Not long after, I received an email from
IRCC.DoNotReplyCIT-CITNePasRepondre.IRCC@cic.gc.ca regarding a suspicious sign-in to my citizenship application. Has anyone else ever gotten an email like this?? I am a bit suspicious because when viewing the headers, the message ID says @email.amazonses.com at the end. And gmail also flagged it as suspicious. However, the initial email I had received confirming the creation of my account has message ID @CA-central-1.amazonses.com

A web search for amazonses.com gives http://amazonses.com Simple Email Service (Amazon SES) - Amazon AWS so maybe IRCC is using Amazon's Simple Email Service for its online citizenship app?

Almost certainly a phishing email trying to get your login details.

The thing to look at is the links that are supposed to be used to check in and inform them:
"https://cic.auth.ca-central-1.amazoncognito.com/eventFeedback ...."

I removed the stuff after the ellipses - but you can see that the domain (bolded) is NOT a government of Canada site, but something called incognito. It is VERY UNLIKELY that IRCC would use such an address for the link provided (and not their own, in-house).

Or as general rule: NEVER click on links in emails unless 100% sure. At minimum, check where the link goes - if it does to some other site than the original provider, DANGER.

 

[nvteja]

I got the same email twice or three times when I login into the application from a new browser or while I am logged in to my company’s VPN. Yesterday I got this email as soon as I logged into the online application while I was on my company’s VPN - which routes my internet traffic through San Francisco. IRCC might be using amazon web services to send automated emails for this application - which is not unusual these days. I think it’s legit.

Gmail thinks every email from IRCC is a spam - even the application submission confirmation email is flagged as spam. Don’t worry it’s a legit email.

 

[armoured]

I got the same email twice or three times when I login into the application from a new browser or while I am logged in to my company’s VPN. Yesterday I got this email as soon as I logged into the online application while I was on my company’s VPN - which routes my internet traffic through San Francisco. IRCC might be using amazon web services to send automated emails for this application - which is not unusual these days. I think it’s legit.

Okay, it's possible it's legit - I can't say for sure. (If so it's embarrassingly bad internet security approach from IRCC to use a different domain for the login they link to)

Anyway the simple approach for anyone in doubt is to login directly to IRCC account NOT by following the link but by directly typing the IRCC account domains that end in gc.ca

 

[rajkamalmohanram]

I started a citizenship application online a few days back and just logged in to review some items. Not long after, I received an email from
IRCC.DoNotReplyCIT-CITNePasRepondre.IRCC@cic.gc.ca regarding a suspicious sign-in to my citizenship application. Has anyone else ever gotten an email like this?? I am a bit suspicious because when viewing the headers, the message ID says @email.amazonses.com at the end. And gmail also flagged it as suspicious. However, the initial email I had received confirming the creation of my account has message ID @CA-central-1.amazonses.com

A web search for amazonses.com gives http://amazonses.com Simple Email Service (Amazon SES) - Amazon AWS so maybe IRCC is using Amazon's Simple Email Service for its online citizenship app?

This is the body text of the message:



Le français suit.
This is an automated message. Do not reply to this email.
Hello,
We noticed a suspicious sign-in to your online citizenship application with this information:

• Time: Thursday, June 10, 2021 05:12 AM UTC
• Device: Chrome 91, Windows 10
• Location: Ottawa, Canada

If this was not you, tell us here and change your password.

If this was you, tell us here.

Thank you,

Immigration, Citizenship and Refugees Canada


Il s’agit d’un message automatisé. Ne répondez pas à ce courriel.

Bonjour,
Nous avons remarqué une connexion suspecte à votre Demande de citoyenneté en ligne. Voici les détails liés à cette connexion :

• Heure: Thursday, June 10, 2021 05:12 AM UTC
• Appareil: Chrome 91, Windows 10
• Lieu: Ottawa, Canada

Si vous n’avez pas effectué cette connexion, veuillez nous en informer et changer votre mot de passe.

Si vous avez effectué cette connexion, veuillez nous en informer ici.

Merci,

Immigration, Réfugiés et Citoyenneté Canada

There is a good chance that this is legit. If IRCC is hosting their applications on AWS Cloud, they would be using the tools that are available at their disposal. It is possible that they are using SES for email communications.

IRCC.DoNotReplyCIT-CITNePasRepondre.IRCC@cic.gc.ca => The domain here looks legit. IRCC email addresses are ridiculously long and that might be one of the reasons why your mail provider mistook it for spam (because email addresses such as this don't "look" legit).

I mean, look at some other email addresses of IRCC :

IRCC.COVID-TravelExemptions-Exemptionsdevoyage-COVID.IRCC@cic.gc.ca
IRCC.ClientPortal-PortailClient.IRCC@cic.gc.ca
IRCC.CECSCDoNotReply-NePasRepondreCSCEC.IRCC@cic.gc.ca
IRCC.CPCSClientNotification-NotificationduclientCTSD.IRCC@cic.gc.ca
IRCC.2021-IMC-EA-34795PM-03-2021-IMC-EA-34795PM-03.IRCC@cic.gc.ca

All of these look very sketchy but they are all legit email addresses of IRCC. I am not sure why IRCC has decided to use very long email addresses such as these.

 

[engray]

This is a legit email. They are using AWS Cognito service which offers suspicious logins detection. They are also using AWS SES to send emails.
Everytime you login with a new computer or phone, or cuse new network it will send you this email. I would advise you click If this was you, tell us here.

Also, remove the links from your post

 

[citizenship.enthusiast]

This is a legit email. They are using AWS Cognito service which offers suspicious logins detection. They are also using AWS SES to send emails.
Everytime you login with a new computer or phone, or cuse new network it will send you this email. I would advise you click If this was you, tell us here.

Also, remove the links from your post

Second that. That email is 100% legit.
This was already discussed in the thread when online citizenship was introduced in December of 2020.

 

[armoured]

There is a good chance that this is legit. If IRCC is hosting their applications on AWS Cloud, they would be using the tools that are available at their disposal. It is possible that they are using SES for email communications.

IRCC.DoNotReplyCIT-CITNePasRepondre.IRCC[changing]@cic.gc.ca[/USER] => The domain here looks legit.

Email from addresses are easy to spoof - dead simple. That is not at all a good indicator.

My point was that the links to click through to that are provided do not go to gc.ca - and THAT (in my opinion) is very bad practice, even if this is some outside provider like AWS.

Both the government of Canada and AWS should be capable of providing a gc.ca domain/page address that then uses AWS backend without exposing the third-party address. How is a user supposed to know that amazonincognito.com (or whatever) is real and not some scam?

That said I'm not questioning more experienced that this particular one seems to be legit, but it's better practice for users to NOT click on such links even if they kind of look legitimate.

 

[rajkamalmohanram]

Email from addresses are easy to spoof - dead simple. That is not at all a good indicator.

My point was that the links to click through to that are provided do not go to gc.ca - and THAT (in my opinion) is very bad practice, even if this is some outside provider like AWS.

Both the government of Canada and AWS should be capable of providing a gc.ca domain/page address that then uses AWS backend without exposing the third-party address. How is a user supposed to know that amazonincognito.com (or whatever) is real and not some scam?

That said I'm not questioning more experienced that this particular one seems to be legit, but it's better practice for users to NOT click on such links even if they kind of look legitimate.

EDITED:

But is there really a way to mask the third party link like that? (Changed some information below to not repost the original link).

"https://cic.auth.ca-central-1.amazoncognito.com/eventFeedback?event_id=5dc27e1f-b64d-45e3-9b6b-ee62384c8fe1&user_name=8415601b-502a-4c04-b788-4572206076d7&feedback_token=IHuJlociXovr9UU-UFnc5a9c_jjZU42TC8qCv6ftOiGuMT-ho633ac-tF735ixNfitEROArn34gJckopkk3TlFTzF5KAH4Hl09Tm8VuPW5qr776UmNCQQ6C046csiuaF81aVQOGzqGsUPTPYP1gyGNDsZy2neU3yIgGF7ePafq-O19LFbtUaW9-P-xHB8CPG7tA6AJ0XdfQAhqJFNG9iZETI4roPpCyf99D5MHR5iLHy7Z3oaAeEZ1oCvWa045gDwkw&feedback_value=VmFsaWQ

I'm not sure if there is a way to do that. I mean, IRCC can only control the email address from where the request is sent out. If the service being used is Amazon Cognito and it runs on their servers, how is IRCC expected to mask the host/endpoint details of the third-party?

I mean, I can see that the first part of the URL denotes that is is from IRCC cic.auth.ca-central-1 . However, the second part amazoncognito.com is the name of the AWS service being used. I don't think it is possible to mask/change that but I could be wrong.

Had a very quick look at the Amazon Cognito Developer Guide and the sample requests there show the same thing.

Another example of where something like this is implemented is where businesses send you an email and you see the "Chat now"/"Live Chat" option. If you inspect the URL for the "Chat now" option, it would be of a third-party (something like Podium, LiveChat, Live Agent etc). There is no way to change these URLs as they are implemented by the third parties.

 

[engray]

Email from addresses are easy to spoof - dead simple. That is not at all a good indicator.

My point was that the links to click through to that are provided do not go to gc.ca - and THAT (in my opinion) is very bad practice, even if this is some outside provider like AWS.

Both the government of Canada and AWS should be capable of providing a gc.ca domain/page address that then uses AWS backend without exposing the third-party address. How is a user supposed to know that amazonincognito.com (or whatever) is real and not some scam?

That said I'm not questioning more experienced that this particular one seems to be legit, but it's better practice for users to NOT click on such links even if they kind of look legitimate.

I totally agree, it is bad practice.

 

[armoured]

IRCC email addresses are ridiculously long and that might be one of the reasons why your mail provider mistook it for spam
...
I am not sure why IRCC has decided to use very long email addresses such as these.

I had to laugh at this.

Part of why they are so stupidly long is the perceived need to use English and French within each address (and often domains).

Years ago I was talking to somebody at I think DFAIT now Global Affairs, person was something to do with computers (although not technical side). The email domain was dfait-maeci.gc.ca if I remember correclty.

I pointed out this was quite dense and unnecessary (not convenient for foreigners BTW and prone to mistakes) and was told it was policy because "English and French required."

I told him "you know it's possible to have two or even more domains, like an alias, for a single account, right? It could be dfait in English and maeci in French?" (eg on the business cards, just for convenience - the return address could be the double dfait-maeci if that was required).

The reaction was a long blink-pause-blink-pause-blink. Some answer followed that made no sense. He had no idea what I was talking about.

Anyway at least now they use international.gc.ca

(And yes, there are still lots of oddities that pop up in government because of the need to have both languages even where possible to split and no-one would actually care)

 

[trumprefugee]

And I got that email again when I logged in again not long ago this afternoon! But glad to hear I'm not the only one