Occasionally I like to look at the dark side of the internet. And spam does a great job of bringing plenty of malware-laden websites to my spam folder for me to stroll through. Today I stumbled upon a very nicely crafted email from "YouTube":
What caught my attention was that the sender took the time to craft this naughty email with care. If you look closely, when hovering over the links that I expected to take me to www.exploit-my-accounts-please.com, my email client didn't show a link to something naughty, but rather a hover text showing a legitimate link to YouTube:
|It looks strangely legitimate...|
Upon closer inspection it seems that the sender hid the links in a nifty way - by assigning a "title" attribute to the style property within the <a> tag that linked to the sender's website:
This is the kind of subtle change that can make it difficult for a common user to detect anomalies in their email. When confronted with suspicious emails I often hover over links to see where they really go and I was surprised to see what looked like a legitimate link show up in the hover text. Very nice job, Mr. Attacker. I learned something new from you today.