Wednesday, October 3, 2012

Learning from Spam


Occasionally I like to look at the dark side of the internet. And spam does a great job of bringing plenty of malware-laden websites to my spam folder for me to stroll through. Today I stumbled upon a very nicely crafted email from "YouTube":



What caught my attention was that the sender took the time to craft this naughty email with care. If you look closely, when hovering over the links that I expected to take me to www.exploit-my-accounts-please.com, my email client didn't show a link to something naughty, but rather a hover text showing a legitimate link to YouTube:

It looks strangely legitimate...


Upon closer inspection it seems that the sender hid the links in a nifty way - by assigning a "title" attribute to the style property within the <a> tag that linked to the sender's website:

<a href="http://7boxtoday.com/mentioning.html"style="text-decoration:none; color:#1C62B9;"title="http://www.youtube.com/inbox?folder=messages&feature=em-message_received">inbox</a>.

This is the kind of subtle change that can make it difficult for a common user to detect anomalies in their email. When confronted with suspicious emails I often hover over links to see where they really go and I was surprised to see what looked like a legitimate link show up in the hover text. Very nice job, Mr. Attacker. I learned something new from you today.