By FDI Creative Services on 07/06/2018
Category: Krebs on Security

ExxonMobil Bungles Rewards Card Debut

Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that tries to foist Web browser extensions on visitors.

The mailer (the first page of which is screenshotted below) urges customers to visit exxonmobilrewardsplus[dot]com, to download its mobile app, and to call “1-888-REWARD+” with any questions. It may not be immediately obvious, but that “+” sign is actually the same thing as a zero on the telephone keypad (although I’m ashamed to say I had to look that up online to be sure).

Worse, visiting the company’s new rewards Web site in Google Chrome prompted my browser to run a “security check,” followed by a series of popups offering to install a Chrome extension called “Browsing Safely.”

That extension changes your default search engine to Yahoo and appears to redirect all searches through a domain called lastlog[dot]in, which seems to be affiliated with an Israeli online advertising network. After adding the Browsing Safely extension to Chrome using a virtual machine, my browser was redirected to Exxon.com.

The Google Chrome extension offered when I first visited exxonmobilrewardsplus-dot-com.

Many people on Twitter who expressed confusion about the mailer said they accidentally added an “e” to the end of “exxonmobil” and ended up getting bounced around to spammy-looking sites with ad redirects and dodgy download offers.

ExxonMobil corporate has not yet responded to requests for comment. But after about 10 minutes on hold listening to the same Muzak-like song, I was able to reach a customer service person at the confusing ExxonMobil Rewards+ phone number. That person said the Web site for the rewards program wasn’t going to be active until July 11.

“Currently the Web site is not available,” the representative said. “Please don’t try to download anything from it right now. It should be active and available next week.”

It always amazes me when major companies roll out new marketing initiatives without consulting professionals who help mitigate security and privacy issues for a living. It seems likely that happened in this case because anyone who knows a thing or two about security would strongly advise against instructing customers to visit a parked domain or one that isn’t yet fully under the company’s control.

Related Posts