Skip to content
Mexican food. Image courtesy of Shutterstock.
Naked Security Naked Security

Chipotle’s human resources emails made job applicants phishing bait

Chipotle, the giant Mexican fast food restaurant chain, was sending emails to new job applicants from a domain - chipotlehr.com - it didn't own. What could go wrong?
Written by
November 19, 2015
Naked Security Brian Krebs Chipotle DNS domain name domain name system Email spoofing Michael Kohlman Spoofing WHOIS

Applying for jobs can be painful, but at least your interactions with “human resources” don’t put you at risk of anything worse than dashed hopes.

Actually, that’s not the case for those applying for a role at Chipotle. Until recently, the giant Mexican fast food restaurant chain was putting its job applicants at risk of identity theft and phishing attacks.

That’s because Chipotle was sending emails to new job applicants from an email address using a domain – chipotlehr.com – it didn’t own.

The domain wasn’t owned by anyone, in fact, until an unemployed IT worker applied for a job at Chipotle and found out the chipotlehr.com domain wasn’t registered, and bought it for $30.

The IT worker, Michael Kohlman, tipped off security blogger Brian Krebs, who went to work and did what he does so well – exposing just how badly a major company has bungled security.

Once Kohlman owned the domain, he started receiving all emails people sent to chipotle@chipotlehr.com, which could have been disastrous if a cybercrook had got to the domain first.

If he’d wanted to, Kohlman could have stolen personal information from those job applicants such as their names, email addresses, phone numbers, and so on.

Or he could have used the chipotle@chipotlehr.com email to go phishing for more information from the applicants, perhaps by asking them for Social Security numbers or bank information for supposed “background checks.”

There are many ways the domain could have been abused in the wrong hands, as Kohlman told Krebs:

In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge.

This wasn’t a goof where Chipotle forgot to renew the domain registration – a screw-up that even big companies like Google and Microsoft aren’t immune to.

Chipotle had never owned the domain – it was just using the email address for emails that it told job applicants not to reply to.

But many people did reply to those emails, or emailed an address on the chipotlehr.com domain in hopes of finding someone at Chipotle HR.

Kohlman said he discovered the unregistered domain when he replied to the email he received after submitting an application and got an error message.

Kohlman went to Chipotle and offered to give them the chipotlehr.com domain for free, but they expressed no interest.

Now the website shows only a black screen with the message:

This is NOT the Chipotle Human Resources Page

chipotlehr.com

Perhaps most concerning is the fact that Chipotle still doesn’t see how sending emails from an unregistered domain was a security no-no.

In an emailed statement, Chipotle told Krebs that the chipotlehr.com domain was “never functional,” and therefore there has “never been a security risk of any kind associated with this,” and it is “really a non-issue.”

Charitably, Kohlman said he wanted to help Chipotle and others “learn from their mistakes,” rather than causing Chipotle any “real damage.”

They didn’t get the message.

Maybe Chipotle – a $3.5 billion company that says it’s “on a mission to change the way people think about and eat fast food” – should start by hiring someone to think about security for a change.

Image of mexican food courtesy of Shutterstock.

About the Author

John Zorabedian is a blogger, copywriter and editor. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.

Read Similar Articles

12 Comments

not really much of a story except you gave instructions on how to get personal info from careless people.

Instructions really aren’t needed to get personal info from careless people. A phone call claiming to be from somebody’s bank, and a friendly demeanour can be all you need for people to start telling you their personal details – This isn’t telling you how to get someone’s personal info, it’s pointing out the huge failure in security by Chipotle in protecting their applicants.

They’re *lucky* that it was only a researcher who registered their domain and set up a mailbox for the email address that they were purporting to be sending from. Anybody could have noticed and registered the domain; someone who replied to an email and received an error back when their outgoing server couldn’t find the domain, for example, except that they could have pretended to be their HR department, and starting requesting sensitive personal information – as a HR department may very well do so.

Or they could just damage Chipotle’s reputation by hurling abuse at customers, or be a bit more subtle, and start asking them questions that would land Chipotle in deep trouble, like asking an applicant’s age, race, sexual orientation, etc.

They could also have set up SPF records for the domain, which could have resulted in their HR department’s outgoing mail being blocked on a number of services, as they would assume that the email was spoofed.

The fact remains that Chipotle REALLY dropped the ball here. You don’t send mail from a domain that you don’t have control over, because otherwise you risk somebody else taking that control instead. They should be absolutely ashamed for their response, too.

I know of a email service that interrupts to try to get permission to download malware while looking at the email – the service does not take it seriously

Pardon my ignorance, but how could they use the email address without owning the domain?

They were using the email address and they weren’t, if you get my drift.

In other words, for automatic email responses to which the company wasn’t planning on processing replies, they just put this domain name in the autoemails and, it seems, sort of forgot about it.

One problem with setting up an autoresponder where you plan to receive-but-blindly-discard any replies…

…is that if you don’t actually get any replies, the system will seem to be working. But in this case, the replies were going into the ether, until someone registered the domain and started collecting the “backscatter” off-site.

Moral of the story: *never* use made-up domain names during testing. They have a habit of sticking around, and often cause trouble when the test system merges with the real world. If you need fake domain names for testing or documentation, use the ones reserved for the purpose in RFC6716. There are plenty to go around: *.example.com, *.example.net, *.example.org, *.example, *.test, *.invalid and more. (Same with made-up IP numbers. Use the ones reserved for documentation, not ones that might belong to a real person!)

So if I’m understanding this correctly, the emails did not actually originate from the chipotlehr.com domain, but from some other domain owned (one would hope!) by Chipotle.

Thanks for the enlightenment!

@Steve: You can attempt to send mail from any email address, if you can find or set up a mail server willing to do it.

There are ways to protect against it; if you’re running an outgoing mail server, you can require authentication to send mail (best), or restrict it to only allow mail to be sent from particular domains (less best, bit antiquated these days). People running “open” mail relays that allow any sender and no authentication will generally find them abused eventually, and end up on mail blacklists as a result.

If you own a domain, you can also set up SPF (Sender Policy Framework) DNS records, which well configured receiving servers will check in order to check that mail it receives was sent from an approved outgoing server for the sender’s domain. It’s no guarantee, as it relies on the receiver’s mail server actually checking the record, but it’s better than nothing.

Chipotle is a registered trademark and since the website isn’t a legitimate “gripe site”, I would deem this cybersquatting. Although it is not clear that this person is “profiting” off of the mark, he is using the domain name in bad faith (“potentially”) collecting / reading information not intended for him. Plus add in the fact that he admittedly registered the domain name and why. C&D, UDRP, Federal Lawsuit are a couple things Chipotle can exercise if they see fit IMO.

@Jamie Zoch: This doesn’t change the fact that they made a huge mistake by not registering it originally though, nor does it change their lackadaisical response to him actually reporting the issue to them.

@Jamie Zoch: He offered to give Chipotle the domain name for FREE, and their response was basically “No, thanks. We don’t want that domain, and we don’t see why we would need it.”

Here’s the relevant excerpts from the article:
“Kohlman went to Chipotle and offered to give them the chipotlehr.com domain for free, but they expressed no interest.”

“Perhaps most concerning is the fact that Chipotle still doesn’t see how sending emails from an unregistered domain was a security no-no.

In an emailed statement, Chipotle told Krebs that the chipotlehr.com domain was ‘never functional,’ and therefore there has ‘never been a security risk of any kind associated with this,’ and it is ‘really a non-issue.'”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!